Permissions - prevent importing code

[vdeturckheim]

Node.js Version

v22.8.0

NPM Version

10.8.2

Operating System

macos

Subsystem

Other

Description

Follow up of https://x.com/_rafaelgss/status/1879706390966804841

Would the permission API allow me to fine tune which imports are allowed in a nodejs process?
I want to run code that would only be allowed to import a certain list of npm packages but not read/import anything else from the file system.

For instance, I would allow arbitrary code to run and import lodash but I don't want it to be able to import the code I use to spawn the child process running the arbitrary code.

Minimal Reproduction

No response

Output

No response

Before You Submit

• I have looked for issues that already exist before submitting this
• My issue follows the guidelines in the README file, and follows the 'How to ask a good question' guide at https://stackoverflow.com/help/how-to-ask

[RafaelGSS]

I'll take a look at it tomorrow. Thanks for the issue

[vdeturckheim]

Thaaaanks!

[RafaelGSS]

Although the Permission Model doesn't impose an explicit guarantee (per thread model) to access the file system outside of node:fs module, I think it might work in the way you would like. See this example:

const { Suite } = require('bench-node')
const fs = require('node:fs')
const assert = require('node:assert')

assert.ok(Suite)
assert.ok(fs.readFileSync('./node_modules/bench-node/lib/index.js'))

assert.throws(() => {
  require('./not-allowed.js')
}, {
  permission: 'FileSystemRead'
})

assert.throws(() => {
  fs.readFileSync('./not-allowed.js');
}, {
  permission: 'FileSystemRead'
})

assert.rejects(async () => {
  await import('./not-allowed.js')
}, {
  permission: 'FileSystemRead'
})

$ mkdir pm-fs-test
$ cd pm-fs-test && npm init -y && npm i -S bench-node
$ node --permission --allow-fs-read=./index.js --allow-fs-read=./node_modules/ index.js

This is the behavior you would like, right?