fix: always require perms for high-risk modules

sandworm-hq · Sep 6, 2022 · f9e9b21 · f9e9b21
1 parent dd2313b
commit f9e9b21
Show file tree

Hide file tree

Showing 2 changed files with 19 additions and 1 deletion.
diff --git a/src/module.js b/src/module.js
@@ -194,7 +194,7 @@ export const isModuleAllowedToExecute = ({
   directCaller,
   lastModuleCaller,
 }) => {
-  if (directCaller?.module?.startsWith?.('node:')) {
+  if (directCaller?.module?.startsWith?.('node:') && !method.needsExplicitPermission) {
     logger.debug(
       '-> call has been allowed',
       lastModuleCaller

diff --git a/tests/unit/module.test.js b/tests/unit/module.test.js
@@ -118,6 +118,15 @@ describe('module', () => {
         method: {name: 'method', needsExplicitPermission: true},
         directCaller: {module: 'node:internal'},
       }),
+    ).toBeFalsy();
+
+    expect(
+      isModuleAllowedToExecute({
+        module: 'imate>one',
+        family: {name: 'imate'},
+        method: {name: 'method'},
+        directCaller: {module: 'node:internal'},
+      }),
     ).toBeTruthy();
 
     expect(
@@ -128,6 +137,15 @@ describe('module', () => {
       }),
     ).toBeFalsy();
 
+    expect(
+      isModuleAllowedToExecute({
+        module: 'imate>two',
+        family: {name: 'imate'},
+        method: {name: 'method'},
+        directCaller: {module: 'node:internal'},
+      }),
+    ).toBeTruthy();
+
     expect(
       isModuleAllowedToExecute({
         module: 'imate>two',