permission: add initial environment permission
Add initial environment permission support. This restricts permission to access environment variables through process.env
by using --allow-env
flag.
usages
Proposed basic usages are as follows:
-
--allow-env=DB_HOST
:DB_HOST
is allowed. -
--allow-env=DB_HOST,DB_PORT
:DB_HOST
andDB_PORT
are allowed. -
--allow-env=DB_*
: Env vars starting withDB_
are allowed. -
--allow-env=DB_*,-DB_PASSWORD
: All env vars starting withDB_
exceptDB_PASSWORD
are allowed. -
--allow-env=*,-DB_PASSWORD
: All env vars exceptDB_PASSWORD
are allowed.
process[env_private_symbol]
This is based on the idea of using a new privileged API for builtins to access the environment variables instead of process.env
. It preserves current behaviors of process.env
on the child processes and the worker threads by leveraging the existing native traps. This approach required manual changes to all internal uses of it.
Signed-off-by: Daeyeon Jeong daeyeon.dev@gmail.com