<!-- YAML

added: v20.0.0

changes:

- version: REPLACEME

pr-url: https://github.com/nodejs/node/pull/58579

description: Entrypoints of your application are allowed to be read implicitly.

- version:

- v23.5.0

- v22.13.0

Examples can be found in the [File System Permissions][] documentation.

The initializer module also needs to be allowed. Consider the following example:

The initializer module and custom `--require` modules has a implicit

read permission.

```console

$ node --permission index.js

Error: Access to this API has been restricted

at node:internal/main/run_main_module:23:47 {

code: 'ERR_ACCESS_DENIED',

permission: 'FileSystemRead',

resource: '/Users/rafaelgss/repos/os/node/index.js'

}

$ node --permission -r custom-require.js -r custom-require-2.js index.js

```

The process needs to have access to the `index.js` module:

* The `custom-require.js`, `custom-require-2.js`, and `index.js` will be

by default in the allowed read list.

```bash

node --permission --allow-fs-read=/path/to/index.js index.js

```js

process.has('fs.read', 'index.js'); // true

process.has('fs.read', 'custom-require.js'); // true

process.has('fs.read', 'custom-require-2.js'); // true

```

### `--allow-fs-write`

Hello world!

```

By default the entrypoints of your application are included

in the allowed file system read list. For example:

```console

$ node --permission index.js

```

* `index.js` will be included in the allowed file system read list

```console

$ node -r /path/to/custom-require.js --permission index.js.

```

* `/path/to/custom-require.js` will be included in the allowed file system read

list.

* `index.js` will be included in the allowed file system read list.

The valid arguments for both flags are:

* `*` - To allow all `FileSystemRead` or `FileSystemWrite` operations,

permission()->Apply(this, {"*"}, permission::PermissionScope::kWASI);

}

// Implicit allow entrypoint to kFileSystemRead

if (!options_->has_eval_string && !options_->force_repl) {

std::string first_argv;

if (argv_.size() > 1) {

first_argv = argv_[1];

}

// Also implicit allow preloaded modules to kFileSystemRead

if (!options_->preload_cjs_modules.empty()) {

for (const std::string& mod : options_->preload_cjs_modules) {

options_->allow_fs_read.push_back(mod);

}

}

if (first_argv != "inspect") {

options_->allow_fs_read.push_back(first_argv);

}

}

if (!options_->allow_fs_read.empty()) {

permission()->Apply(this,

options_->allow_fs_read,

const fs = require('node:fs')

const path = require('node:path')

const assert = require('node:assert');

{

fs.readFileSync(__filename);

console.log('Read its own contents') // Should not throw

}

{

const simpleLoaderPath = path.join(__dirname, 'simple-loader.js');

fs.readFile(simpleLoaderPath, (err) => {

assert.ok(err.code, 'ERR_ACCESS_DENIED');

assert.ok(err.permission, 'FileSystemRead');

}); // Should throw ERR_ACCESS_DENIED

}

console.log('Hello world')

// Simulate a regular loading without fs operations

// but with access to Node core modules

require('node:fs')

// Flags: --permission --allow-fs-read=* --allow-fs-write=* --allow-child-process

'use strict';

const common = require('../common');

const { isMainThread } = require('worker_threads');

if (!isMainThread) {

common.skip('This test only works on a main thread');

}

if (!common.hasCrypto) {

common.skip('no crypto');

}

const assert = require('assert');

const fixtures = require('../common/fixtures');

const { spawnSync } = require('child_process');

const file = fixtures.path('permission', 'hello-world.js');

const simpleLoader = fixtures.path('permission', 'simple-loader.js');

const fsReadLoader = fixtures.path('permission', 'fs-read-loader.js');

[

'',

simpleLoader,

fsReadLoader,

].forEach((arg0) => {

const { status, stderr } = spawnSync(

process.execPath,

[

arg0 !== '' ? '-r' : '',

arg0,

'--permission',

file,

],

);

assert.strictEqual(status, 0, `${arg0} Error: ${stderr.toString()}`);

});

const { status, stderr } = spawnSync(

process.execPath,

[

'--permission', `--allow-fs-read=${file}`, `--allow-fs-read=${commonPathWildcard}`, file,

'--permission',

// Do not uncomment this line

// `--allow-fs-read=${file}`,

`--allow-fs-read=${commonPathWildcard}`,

file,

],

{

env: {