src,permission: add --allow-net permission

[RafaelGSS]

This pull request introduces the experimental --allow-net CLI flag, extending Node.js's Permission Model to manage network access explicitly. When enabled, processes require explicit permission to access network resources.

For now, let's flag it as semver-major because for actual users of Permission Model, this will be a breaking change (requiring them to pass --allow-net to get back to the current behaviour).

This initial implementation is a boolean; either you allow network access (inbound and outgoing) or you don't. I will check how feasible it is to make it more granular (e.g: --allow-net="https://nodejs.org")

Notable Change

The Permission Model now gets an extension to check network access (HTTP, HTTPS, DNS, TCP and UDP) and a new flag to allow it (--allow-net).

$ node --permission --allow-net index.js

[nodejs-github-bot]

Review requested:

• @nodejs/config
• @nodejs/gyp
• @nodejs/net
• @nodejs/security-wg

[geeksilva97]

🚀

[mcollina]

Is this emitting a warning?

[RafaelGSS]

Is this emitting a warning?

Now, it is 😄

[codecov]

Codecov Report

Attention: Patch coverage is 74.41860% with 22 lines in your changes missing coverage. Please review.

Project coverage is 90.13%. Comparing base (563be01) to head (062d335).
Report is 273 commits behind head on main.

Files with missing lines	Patch %	Lines
lib/internal/process/pre_execution.js	8.33%	11 Missing ⚠️
src/cares_wrap.h	82.35%	0 Missing and 3 partials ⚠️
src/tcp_wrap.cc	0.00%	0 Missing and 3 partials ⚠️
src/udp_wrap.cc	50.00%	0 Missing and 3 partials ⚠️
src/cares_wrap.cc	91.66%	0 Missing and 1 partial ⚠️
src/env.cc	50.00%	0 Missing and 1 partial ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #58517      +/-   ##
==========================================
- Coverage   90.20%   90.13%   -0.07%     
==========================================
  Files         633      639       +6     
  Lines      186852   188076    +1224     
  Branches    36690    36902     +212     
==========================================
+ Hits       168550   169525     +975     
- Misses      11090    11294     +204     
- Partials     7212     7257      +45     

Files with missing lines	Coverage Δ
lib/internal/errors.js	97.50% <100.00%> (+0.02%)	⬆️
src/node_options.cc	84.57% <100.00%> (-0.68%)	⬇️
src/node_options.h	97.86% <100.00%> (-1.04%)	⬇️
src/permission/net_permission.cc	100.00% <100.00%> (ø)
src/permission/net_permission.h	100.00% <100.00%> (ø)
src/permission/permission.cc	80.00% <100.00%> (+1.50%)	⬆️
src/permission/permission.h	83.33% <ø> (ø)
src/cares_wrap.cc	54.60% <91.66%> (+0.21%)	⬆️
src/env.cc	80.70% <50.00%> (-0.08%)	⬇️
src/cares_wrap.h	79.24% <82.35%> (+0.27%)	⬆️
... and 3 more

... and 162 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[Ethan-Arrowood]

This is excellent!

[mcollina]

lgtm

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/67389/

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/67421/

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/67432/

[RafaelGSS]

I had to push a small test fix for websocket (when no openssl). Could you please re-approve? @mcollina @Ethan-Arrowood

[Ethan-Arrowood]

This was fixed here: nodejs/undici#4274 so once that lands we can update this test to assert cause

[nodejs-github-bot]

Commit Queue failed

- Loading data for nodejs/node/pull/58517
✔  Done loading data for nodejs/node/pull/58517
----------------------------------- PR info ------------------------------------
Title      src,permission: add --allow-net permission (#58517)
Author     Rafael Gonzaga <rafael.nunu@hotmail.com> (@RafaelGSS)
Branch     RafaelGSS:add-permission-model-to-net -> nodejs:main
Labels     semver-major, lib / src, author ready, needs-ci, permission
Commits    2
 - src,permission: add --allow-net permission
 - fixup! src,permission: add --allow-net permission
Committers 1
 - RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: https://github.com/nodejs/node/pull/58517
Reviewed-By: Ethan Arrowood <ethan@arrowood.dev>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
------------------------------ Generated metadata ------------------------------
PR-URL: https://github.com/nodejs/node/pull/58517
Reviewed-By: Ethan Arrowood <ethan@arrowood.dev>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
--------------------------------------------------------------------------------
   ℹ  This PR was created on Fri, 30 May 2025 20:53:53 GMT
   ✔  Approvals: 2
   ✔  - Ethan Arrowood (@Ethan-Arrowood): https://github.com/nodejs/node/pull/58517#pullrequestreview-2932137688
   ✔  - Matteo Collina (@mcollina) (TSC): https://github.com/nodejs/node/pull/58517#pullrequestreview-2914481831
   ✘  semver-major requires at least 2 TSC approvals
   ✔  Last GitHub CI successful
   ℹ  Last Full PR CI on 2025-06-14T00:21:55Z: https://ci.nodejs.org/job/node-test-pull-request/67432/
- Querying data for job/node-test-pull-request/67432/
   ✔  Last Jenkins CI successful
--------------------------------------------------------------------------------
   ✔  Aborted `git node land` session in /home/runner/work/node/node/.ncu

https://github.com/nodejs/node/actions/runs/15682641187

[RafaelGSS]

Ping @nodejs/tsc for another TSC approval.

[mcollina]

lgtm

[nodejs-github-bot]

Landed in 462c741

[github-actions]

The notable-change PRs with changes that should be highlighted in changelogs. label has been added by @RafaelGSS.

Please suggest a text for the release notes if you'd like to include a more detailed summary, then proceed to update the PR description with the text or a link to the notable change suggested text comment. Otherwise, the commit will be placed in the Other Notable Changes section.