feat: US-079 - Add write-side fs permission and custom checker tests

Author: NathanFlurry

packages/secure-exec-core/src/shared/errors.ts

@@ -23,11 +23,16 @@ export function createSystemError(
 }
 
 /** Create a permission-denied error matching Node's EACCES format. */
-export function createEaccesError(op: string, path?: string): SystemError {
+export function createEaccesError(
+	op: string,
+	path?: string,
+	reason?: string,
+): SystemError {
 	const suffix = path ? ` '${path}'` : "";
+	const reasonSuffix = reason ? `: ${reason}` : "";
 	return createSystemError(
 		"EACCES",
-		`EACCES: permission denied, ${op}${suffix}`,
+		`EACCES: permission denied, ${op}${suffix}${reasonSuffix}`,
 		{ path, syscall: op },
 	);
 }

packages/secure-exec-core/src/shared/permissions.ts

@@ -20,14 +20,14 @@ import type {
 function checkPermission<T>(
 	check: ((request: T) => { allow: boolean; reason?: string }) | undefined,
 	request: T,
-	onDenied: (request: T) => Error,
+	onDenied: (request: T, reason?: string) => Error,
 ): void {
 	if (!check) {
 		throw onDenied(request);
 	}
 	const decision = check(request);
 	if (!decision?.allow) {
-		throw onDenied(request);
+		throw onDenied(request, decision?.reason);
 	}
 }
 
@@ -107,164 +107,164 @@ export function wrapFileSystem(
 			checkPermission(
 				permissions?.fs,
 				{ op: "read", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.readFile(path);
 		},
 		readTextFile: async (path) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "read", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.readTextFile(path);
 		},
 		readDir: async (path) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "readdir", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.readDir(path);
 		},
 		readDirWithTypes: async (path) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "readdir", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.readDirWithTypes(path);
 		},
 		writeFile: async (path, content) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "write", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.writeFile(path, content);
 		},
 		createDir: async (path) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "createDir", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.createDir(path);
 		},
 		mkdir: async (path) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "mkdir", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.mkdir(path);
 		},
 		exists: async (path) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "exists", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.exists(path);
 		},
 		stat: async (path) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "stat", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.stat(path);
 		},
 		removeFile: async (path) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "rm", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.removeFile(path);
 		},
 		removeDir: async (path) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "rm", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.removeDir(path);
 		},
 		rename: async (oldPath, newPath) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "rename", path: oldPath },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			checkPermission(
 				permissions?.fs,
 				{ op: "rename", path: newPath },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.rename(oldPath, newPath);
 		},
 		symlink: async (target, linkPath) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "symlink", path: linkPath },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.symlink(target, linkPath);
 		},
 		readlink: async (path) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "readlink", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.readlink(path);
 		},
 		lstat: async (path) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "stat", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.lstat(path);
 		},
 		link: async (oldPath, newPath) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "link", path: newPath },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.link(oldPath, newPath);
 		},
 		chmod: async (path, mode) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "chmod", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.chmod(path, mode);
 		},
 		chown: async (path, uid, gid) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "chown", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.chown(path, uid, gid);
 		},
 		utimes: async (path, atime, mtime) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "utimes", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.utimes(path, atime, mtime);
 		},
 		truncate: async (path, length) => {
 			checkPermission(
 				permissions?.fs,
 				{ op: "truncate", path },
-				(req) => createEaccesError(fsOpToSyscall(req.op), req.path),
+				(req, reason) => createEaccesError(fsOpToSyscall(req.op), req.path, reason),
 			);
 			return fs.truncate(path, length);
 		},
@@ -293,7 +293,7 @@ export function wrapNetworkAdapter(
 								: `http://0.0.0.0:${options.port ?? 3000}`,
 							method: "LISTEN",
 						},
-						(req) => createEaccesError("listen", req.url),
+						(req, reason) => createEaccesError("listen", req.url, reason),
 					);
 					return adapter.httpServerListen!(options);
 				}
@@ -307,23 +307,23 @@ export function wrapNetworkAdapter(
 			checkPermission(
 				permissions?.network,
 				{ op: "fetch", url, method: options?.method },
-				(req) => createEaccesError("connect", req.url),
+				(req, reason) => createEaccesError("connect", req.url, reason),
 			);
 			return adapter.fetch(url, options);
 		},
 		dnsLookup: async (hostname) => {
 			checkPermission(
 				permissions?.network,
 				{ op: "dns", hostname },
-				(req) => createEaccesError("connect", req.hostname),
+				(req, reason) => createEaccesError("connect", req.hostname, reason),
 			);
 			return adapter.dnsLookup(hostname);
 		},
 		httpRequest: async (url, options) => {
 			checkPermission(
 				permissions?.network,
 				{ op: "http", url, method: options?.method },
-				(req) => createEaccesError("connect", req.url),
+				(req, reason) => createEaccesError("connect", req.url, reason),
 			);
 			return adapter.httpRequest(url, options);
 		},
@@ -340,7 +340,7 @@ export function wrapCommandExecutor(
 			checkPermission(
 				permissions?.childProcess,
 				{ command, args, cwd: options.cwd, env: options.env },
-				(req) => createEaccesError("spawn", req.command),
+				(req, reason) => createEaccesError("spawn", req.command, reason),
 			);
 			return executor.spawn(command, args, options);
 		},
@@ -351,8 +351,8 @@ export function envAccessAllowed(
 	permissions: Permissions | undefined,
 	request: EnvAccessRequest,
 ): void {
-	checkPermission(permissions?.env, request, (req) =>
-		createEaccesError("access", req.key),
+	checkPermission(permissions?.env, request, (req, reason) =>
+		createEaccesError("access", req.key, reason),
 	);
 }
 

packages/secure-exec/tests/permissions.test.ts

@@ -203,3 +203,73 @@ describe("allow helpers", () => {
 		expectEacces(envThrown, "access", "HIDDEN");
 	});
 });
+
+describe("permissions deny-by-default write-side", () => {
+	it("denies writeFile when fs checker is missing", async () => {
+		const guardedFs = wrapFileSystem(baseFs);
+		let thrown: unknown;
+		try {
+			await guardedFs.writeFile("/data.bin", new Uint8Array([1, 2]));
+		} catch (error) {
+			thrown = error;
+		}
+		expectEacces(thrown, "write", "/data.bin");
+	});
+
+	it("denies createDir when fs checker is missing", async () => {
+		const guardedFs = wrapFileSystem(baseFs);
+		let thrown: unknown;
+		try {
+			await guardedFs.createDir("/newdir");
+		} catch (error) {
+			thrown = error;
+		}
+		expectEacces(thrown, "mkdir", "/newdir");
+	});
+
+	it("denies removeFile when fs checker is missing", async () => {
+		const guardedFs = wrapFileSystem(baseFs);
+		let thrown: unknown;
+		try {
+			await guardedFs.removeFile("/secret.txt");
+		} catch (error) {
+			thrown = error;
+		}
+		expectEacces(thrown, "unlink", "/secret.txt");
+	});
+});
+
+describe("custom permission checker", () => {
+	it("fs checker returning { allow: false, reason } produces EACCES with reason", async () => {
+		const permissions: Permissions = {
+			fs: () => ({ allow: false, reason: "policy" }),
+		};
+		const guardedFs = wrapFileSystem(baseFs, permissions);
+		let thrown: unknown;
+		try {
+			await guardedFs.writeFile("/blocked.txt", new Uint8Array([1]));
+		} catch (error) {
+			thrown = error;
+		}
+		expect(thrown).toMatchObject({ code: "EACCES", syscall: "write" });
+		expect((thrown as Error).message).toContain("policy");
+	});
+
+	it("childProcess checker receives cwd parameter in request", () => {
+		const captured: { command: string; args: string[]; cwd?: string }[] = [];
+		const permissions: Permissions = {
+			childProcess: (req) => {
+				captured.push({
+					command: req.command,
+					args: req.args,
+					cwd: req.cwd,
+				});
+				return { allow: true };
+			},
+		};
+		const guardedExecutor = wrapCommandExecutor(baseExecutor, permissions);
+		guardedExecutor.spawn("node", ["-e", "1"], { cwd: "/app" });
+		expect(captured).toHaveLength(1);
+		expect(captured[0].cwd).toBe("/app");
+	});
+});