Skip to content

permission: add --allow-env flag for environment variable access control#62827

Open
nabeel378 wants to merge 6 commits intonodejs:mainfrom
nabeel378:feat/permission-allow-env-flag
Open

permission: add --allow-env flag for environment variable access control#62827
nabeel378 wants to merge 6 commits intonodejs:mainfrom
nabeel378:feat/permission-allow-env-flag

Conversation

@nabeel378
Copy link
Copy Markdown
Contributor

@nabeel378 nabeel378 commented Apr 19, 2026

Adds --allow-env permission flag to control access to environment
variables when the permission model is enabled (--permission).

Supported usage:

  • --allow-env — grants access to all environment variables
  • --allow-env=HOME,PATH — grants access only to specified variables

When --permission is enabled without --allow-env, all calls to
process.env will throw ERR_ACCESS_DENIED.

Fixes: #62424

@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 19, 2026

Review requested:

  • @nodejs/config
  • @nodejs/gyp
  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run. labels Apr 19, 2026
@nabeel378 nabeel378 marked this pull request as draft April 19, 2026 10:23
@nabeel378 nabeel378 force-pushed the feat/permission-allow-env-flag branch from 9c74582 to f3544f8 Compare April 19, 2026 11:26
@nabeel378
permission,doc: fix --allow-env docs and expand test coverage
c54086a 
Signed-off-by: nabeel378 <mohammadnabeeljameel@gmail.com>
@nabeel378 nabeel378 marked this pull request as ready for review April 19, 2026 12:59
@nabeel378
permission: refactor permission checks and improve test assertions fo…
b6a89cf 
…r environment variables

Signed-off-by: nabeel378 <mohammadnabeeljameel@gmail.com>
@codecov
Copy link
Copy Markdown

codecov bot commented Apr 19, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 92.06349% with 5 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.60%. Comparing base (58a8e1d) to head (cba1261).
⚠️ Report is 2 commits behind head on main.

Files with missing lines Patch % Lines
src/node_env_var.cc 87.09% 0 Missing and 4 partials ⚠️
src/permission/env_var_permission.cc 95.00% 0 Missing and 1 partial ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #62827      +/-   ##
==========================================
- Coverage   89.69%   89.60%   -0.09%     
==========================================
  Files         706      708       +2     
  Lines      218222   219199     +977     
  Branches    41768    42002     +234     
==========================================
+ Hits       195731   196422     +691     
- Misses      14411    14655     +244     
- Partials     8080     8122      +42
Files with missing lines Coverage Δ
lib/internal/process/permission.js 100.00% <100.00%> (ø)
src/env.cc 85.27% <100.00%> (-0.19%) ⬇️
src/node_options.cc 76.53% <100.00%> (+0.02%) ⬆️
src/node_options.h 97.98% <ø> (ø)
src/permission/env_var_permission.h 100.00% <100.00%> (ø)
src/permission/permission.cc 81.92% <100.00%> (+0.33%) ⬆️
src/permission/permission.h 100.00% <ø> (ø)
src/permission/env_var_permission.cc 95.00% <95.00%> (ø)
src/node_env_var.cc 82.08% <87.09%> (-0.13%) ⬇️

... and 35 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@nabeel378
permission: fix env var default behavior and add manpage docs
cba1261 
Signed-off-by: nabeel378 <mohammadnabeeljameel@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. lib / src Issues and PRs related to general changes in the lib or src directory. needs-ci PRs that need a full CI run.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add --allow-env flag to Permission Model for restricting environment variable access

2 participants

@nabeel378 @nodejs-github-bot