文件系统权限

¥File System Permissions

默认情况下,权限模型通过 node:fs 模块限制对文件系统的访问。它不能保证用户无法通过其他方式(例如通过 node:sqlite 模块)访问文件系统。

¥The Permission Model, by default, restricts access to the file system through the node:fs module. It does not guarantee that users will not be able to access the file system through other means, such as through the node:sqlite module.

要允许访问文件系统,请使用 --allow-fs-read--allow-fs-write 标志:

¥To allow access to the file system, use the --allow-fs-read and --allow-fs-write flags:

$ node --permission --allow-fs-read=* --allow-fs-write=* index.js
Hello world!

默认情况下,应用的入口点包含在允许的文件系统读取列表中。例如:

¥By default the entrypoints of your application are included in the allowed file system read list. For example:

$ node --permission index.js

  • index.js 将被包含在允许的文件系统读取列表中。

    ¥index.js will be included in the allowed file system read list

$ node -r /path/to/custom-require.js --permission index.js.

  • /path/to/custom-require.js 将被包含在允许的文件系统读取列表中。

    ¥/path/to/custom-require.js will be included in the allowed file system read list.

  • index.js 将被包含在允许的文件系统读取列表中。

    ¥index.js will be included in the allowed file system read list.

两个标志的有效参数是:

¥The valid arguments for both flags are:

  • * - 分别允许所有 FileSystemReadFileSystemWrite 操作。

    ¥* - To allow all FileSystemRead or FileSystemWrite operations, respectively.

  • 当前工作目录的相对路径。

    ¥Relative paths to the current working directory.

  • 绝对路径。

    ¥Absolute paths.

示例:

¥Example:

  • --allow-fs-read=* - 它将允许所有 FileSystemRead 操作。

    ¥--allow-fs-read=* - It will allow all FileSystemRead operations.

  • --allow-fs-write=* - 它将允许所有 FileSystemWrite 操作。

    ¥--allow-fs-write=* - It will allow all FileSystemWrite operations.

  • --allow-fs-write=/tmp/ - 它将允许 FileSystemWrite 访问 /tmp/ 文件夹。

    ¥--allow-fs-write=/tmp/ - It will allow FileSystemWrite access to the /tmp/ folder.

  • --allow-fs-read=/tmp/ --allow-fs-read=/home/.gitignore - 它允许 FileSystemRead 访问 /tmp/ 文件夹和 /home/.gitignore 路径。

    ¥--allow-fs-read=/tmp/ --allow-fs-read=/home/.gitignore - It allows FileSystemRead access to the /tmp/ folder and the /home/.gitignore path.

也支持通配符:

¥Wildcards are supported too:

  • --allow-fs-read=/home/test* 将允许读取与通配符匹配的所有内容。例如:/home/test/file1/home/test2

    ¥--allow-fs-read=/home/test* will allow read access to everything that matches the wildcard. e.g: /home/test/file1 or /home/test2

传递通配符 (*) 后,所有后续字符都将被忽略。例如:/home/*.js 的工作方式与 /home/* 类似。

¥After passing a wildcard character (*) all subsequent characters will be ignored. For example: /home/*.js will work similar to /home/*.

初始化权限模型时,如果指定的目录存在,它将自动添加通配符 (*)。例如,如果 /home/test/files 存在,它将被视为 /home/test/files/*。但是,如果目录不存在,则不会添加通配符,并且访问将仅限于 /home/test/files。如果要允许访问尚不存在的文件夹,请确保明确包含通配符:/my-path/folder-do-not-exist/*

¥When the permission model is initialized, it will automatically add a wildcard (*) if the specified directory exists. For example, if /home/test/files exists, it will be treated as /home/test/files/*. However, if the directory does not exist, the wildcard will not be added, and access will be limited to /home/test/files. If you want to allow access to a folder that does not exist yet, make sure to explicitly include the wildcard: /my-path/folder-do-not-exist/*.