[Bug]: use pm2 and --experimental-permission, throw Error: Access to this API has been restricted

[skypesky]

Version

v22.3.0

Platform

Darwin mac-studio.local 23.4.0 Darwin Kernel Version 23.4.0: Fri Mar 15 00:10:42 PDT 2024; root:xnu-10063.101.17~1/RELEASE_ARM64_T6000 arm64

Subsystem

No response

What steps will reproduce the bug?

• Create a new file pm2.io.js, install @pm2/io deps

const io = require('@pm2/io'); // @pm2/io version is 6.0.0
io.init({});

• Executing the script

pm2 start pm2.io.js --node-args="--experimental-permission --allow-fs-read=*" -f

• View pm2 logs, use pm2 logs command

0|pm2.io | node:inspector:59
0|pm2.io |     this.#connection = new Connection((message) => this.#onMessage(message));
0|pm2.io |                        ^
0|pm2.io | Error: Access to this API has been restricted
0|pm2.io |     at Session.connect (node:inspector:59:24)
0|pm2.io |     at InspectorService.init (/Users/skypesky/Library/pnpm/global/5/.pnpm/@[email protected]/node_modules/@pm2/io/build/main/services/inspector.js:14:22)
0|pm2.io |     at PMX.init (/Users/skypesky/Library/pnpm/global/5/.pnpm/@[email protected]/node_modules/@pm2/io/build/main/pmx.js:72:30)
0|pm2.io |     at Object.<anonymous> (/Users/skypesky/Library/pnpm/global/5/.pnpm/@[email protected]/node_modules/@pm2/io/build/main/index.js:5:65)
0|pm2.io |     at Module._compile (node:internal/modules/cjs/loader:1460:14)
0|pm2.io |     at Module._extensions..js (node:internal/modules/cjs/loader:1544:10)
0|pm2.io |     at Module.load (node:internal/modules/cjs/loader:1275:32)
0|pm2.io |     at Module._load (node:internal/modules/cjs/loader:1091:12)
0|pm2.io |     at wrapModuleLoad (node:internal/modules/cjs/loader:212:19)
0|pm2.io |     at Module.require (node:internal/modules/cjs/loader:1297:12) {
0|pm2.io |   code: 'ERR_ACCESS_DENIED',
0|pm2.io |   permission: 'Inspector',
0|pm2.io |   resource: 'Connect'
0|pm2.io | }
0|pm2.io | Node.js v22.3.0

How often does it reproduce? Is there a required condition?

No response

What is the expected behavior? Why is that the expected behavior?

It should start and run normally without throwing any errors

What do you see instead?

0|pm2.io | node:inspector:59
0|pm2.io |     this.#connection = new Connection((message) => this.#onMessage(message));
0|pm2.io |                        ^
0|pm2.io | Error: Access to this API has been restricted
0|pm2.io |     at Session.connect (node:inspector:59:24)
0|pm2.io |     at InspectorService.init (/Users/skypesky/Library/pnpm/global/5/.pnpm/@[email protected]/node_modules/@pm2/io/build/main/services/inspector.js:14:22)
0|pm2.io |     at PMX.init (/Users/skypesky/Library/pnpm/global/5/.pnpm/@[email protected]/node_modules/@pm2/io/build/main/pmx.js:72:30)
0|pm2.io |     at Object.<anonymous> (/Users/skypesky/Library/pnpm/global/5/.pnpm/@[email protected]/node_modules/@pm2/io/build/main/index.js:5:65)
0|pm2.io |     at Module._compile (node:internal/modules/cjs/loader:1460:14)
0|pm2.io |     at Module._extensions..js (node:internal/modules/cjs/loader:1544:10)
0|pm2.io |     at Module.load (node:internal/modules/cjs/loader:1275:32)
0|pm2.io |     at Module._load (node:internal/modules/cjs/loader:1091:12)
0|pm2.io |     at wrapModuleLoad (node:internal/modules/cjs/loader:212:19)
0|pm2.io |     at Module.require (node:internal/modules/cjs/loader:1297:12) {
0|pm2.io |   code: 'ERR_ACCESS_DENIED',
0|pm2.io |   permission: 'Inspector',
0|pm2.io |   resource: 'Connect'
0|pm2.io | }
0|pm2.io | Node.js v22.3.0

Additional information

related: #53385 (comment)

[avivkeller]

With the permissions you have set, that API isn't accessible. Try giving your script more permissions if possible.

@nodejs/security-wg

[skypesky]

@redyetidev
hello,I don't know what option or parameter can be used to grant permission, it seems that this parameter is not supported? Can you give me an example?

[avivkeller]

Hi! The security working group is in the CC, they know more about this and they'll respond soon!

[RafaelGSS]

As the error trace suggests:

(/Users/skypesky/Library/pnpm/global/5/.pnpm/@[email protected]/node_modules/@pm2/io/build/main/services/inspector.js:14:22

PM2 attempts to use the inspector protocol and this is disabled by default when using the Permission Model. It's not a bug, t
there's nothing we can do on the Node.js side.

[skypesky]

As the error trace suggests:

(/Users/skypesky/Library/pnpm/global/5/.pnpm/@[email protected]/node_modules/@pm2/io/build/main/services/inspector.js:14:22

PM2 attempts to use the inspector protocol and this is disabled by default when using the Permission Model. It's not a bug, t there's nothing we can do on the Node.js side.

@RafaelGSS
So how can I use --experimental-permission and give @pm2/io permission as well? What parameters should I add?

[RafaelGSS]

So how can I use --experimental-permission and give @pm2/io permission as well? What parameters should I add?

You can't. As long as the @pm2/io uses the inspector protocol, you can't use this module with the Permission Model.

[skypesky]

@RafaelGSS
I don't understand why there is this restriction and why we can't enable permissions.
Can we support an --allow-inspect parameter when using --experimental-permission?

[RafaelGSS]

@RafaelGSS I don't understand why there is this restriction and why we can't enable permissions. Can we support an --allow-inspect parameter when using --experimental-permission?

The use of the inspector protocol can basically bypass any restriction imposed by the Permission Model. Technically, we can add an --allow-inspect CLI, but it might cause an impression of a safe environment where it's not.

let {result:{ objectId }} = await session.post('Runtime.evaluate', { expression: 'Worker' });

The usage of session can intercept internals and bypass the Worker and Child Process for example. We can for sure discuss a better implementation of this restriction, but a simple --allow-inspector might not be accurate.

Can you open an issue on nodejs/security-wg? Meanwhile, I'm closing this issue.