From d0a4740f7ab7b024593ab9681115f22b1b7aa00b Mon Sep 17 00:00:00 2001
From: Yoshiya Hinosawa <stibium121@gmail.com>
Date: Thu, 6 Feb 2025 17:54:07 +0900
Subject: [PATCH] check net permission with hostname parameter

---
 ext/node/lib.rs     |  2 +-
 ext/node/ops/dns.rs | 38 +++++++++++++++++++++++++++-----------
 2 files changed, 28 insertions(+), 12 deletions(-)

diff --git a/ext/node/lib.rs b/ext/node/lib.rs
index 9359f55980e8bc..9fb73bf60936ed 100644
--- a/ext/node/lib.rs
+++ b/ext/node/lib.rs
@@ -312,7 +312,7 @@ deno_core::extension!(deno_node,
     ops::crypto::x509::op_node_x509_get_serial_number,
     ops::crypto::x509::op_node_x509_key_usage,
     ops::crypto::x509::op_node_x509_public_key,
-    ops::dns::op_getaddrinfo,
+    ops::dns::op_getaddrinfo<P>,
     ops::fs::op_node_fs_exists_sync<P>,
     ops::fs::op_node_fs_exists<P>,
     ops::fs::op_node_cp_sync<P>,
diff --git a/ext/node/ops/dns.rs b/ext/node/ops/dns.rs
index 5342f7897dec66..1a8e5b95fe5e44 100644
--- a/ext/node/ops/dns.rs
+++ b/ext/node/ops/dns.rs
@@ -1,8 +1,13 @@
 // Copyright 2018-2025 the Deno authors. MIT license.
 
+use std::cell::RefCell;
+use std::rc::Rc;
 use std::str::FromStr;
 
 use deno_core::op2;
+use deno_core::OpState;
+use deno_error::JsError;
+use deno_permissions::PermissionCheckError;
 use hyper_util::client::legacy::connect::dns::GaiResolver;
 use hyper_util::client::legacy::connect::dns::Name;
 use serde::Serialize;
@@ -15,26 +20,37 @@ struct GetAddrInfoResult {
   address: String,
 }
 
-#[derive(Debug, thiserror::Error, deno_error::JsError)]
-#[class(generic)]
-#[error("Could not resolve the hostname '{hostname}'")]
-pub struct GetAddrInfoError {
-  hostname: String,
+#[derive(Debug, thiserror::Error, JsError)]
+pub enum GetAddrInfoError {
+  #[class(inherit)]
+  #[error(transparent)]
+  Permission(#[from] PermissionCheckError),
+  #[class(type)]
+  #[error("Could not resolve the hostname \"{0}\"")]
+  Resolution(String),
 }
 
 #[op2(async, stack_trace)]
 #[serde]
-pub async fn op_getaddrinfo(
+pub async fn op_getaddrinfo<P>(
+  state: Rc<RefCell<OpState>>,
   #[string] hostname: String,
-) -> Result<Vec<GetAddrInfoResult>, GetAddrInfoError> {
+) -> Result<Vec<GetAddrInfoResult>, GetAddrInfoError>
+where
+  P: crate::NodePermissions + 'static,
+{
+  {
+    let mut state_ = state.borrow_mut();
+    let permissions = state_.borrow_mut::<P>();
+    permissions.check_net((hostname.as_str(), None), "lookup")?;
+  }
   let mut resolver = GaiResolver::new();
-  let name = Name::from_str(&hostname).map_err(|_| GetAddrInfoError {
-    hostname: hostname.clone(),
-  })?;
+  let name = Name::from_str(&hostname)
+    .map_err(|_| GetAddrInfoError::Resolution(hostname.clone()))?;
   resolver
     .call(name)
     .await
-    .map_err(|_| GetAddrInfoError { hostname })
+    .map_err(|_| GetAddrInfoError::Resolution(hostname))
     .map(|addrs| {
       addrs
         .into_iter()