文件系统权限

🌐 File System Permissions

默认情况下,权限模型通过 node:fs 模块限制对文件系统的访问。它并不能保证用户无法通过其他方式访问文件系统,例如通过 node:sqlite 模块。

🌐 The Permission Model, by default, restricts access to the file system through the node:fs module. It does not guarantee that users will not be able to access the file system through other means, such as through the node:sqlite module.

要允许访问文件系统,请使用 --allow-fs-read--allow-fs-write 标志:

🌐 To allow access to the file system, use the --allow-fs-read and --allow-fs-write flags:

$ node --experimental-permission --allow-fs-read=* --allow-fs-write=* index.js
Hello world!
(node:19836) ExperimentalWarning: Permission is an experimental feature
(Use `node --trace-warnings ...` to show where the warning was created)

两个标志的有效参数是:

🌐 The valid arguments for both flags are:

  • * - 分别允许所有 FileSystemReadFileSystemWrite 操作。
  • 用逗号(,)分隔的路径,以分别只允许匹配 FileSystemReadFileSystemWrite 操作。

示例:

🌐 Example:

  • --allow-fs-read=* - 它将允许所有 FileSystemRead 操作。
  • --allow-fs-write=* - 它将允许所有 FileSystemWrite 操作。
  • --allow-fs-write=/tmp/ - 它将允许对 /tmp/ 文件夹进行 FileSystemWrite 访问。
  • --allow-fs-read=/tmp/ --allow-fs-read=/home/.gitignore - 它允许对 /tmp/ 文件夹 以及 /home/.gitignore 路径进行 FileSystemRead 访问。

也支持通配符:

🌐 Wildcards are supported too:

  • --allow-fs-read=/home/test* 将允许读取与通配符匹配的所有内容。例如:/home/test/file1/home/test2

在通配符字符(*)之后,所有后续字符将被忽略。例如:/home/*.js 的效果类似于 /home/*

🌐 After passing a wildcard character (*) all subsequent characters will be ignored. For example: /home/*.js will work similar to /home/*.

当权限模型初始化时,如果指定的目录存在,它会自动添加通配符(*)。例如,如果 /home/test/files 存在,它将被视为 /home/test/files/*。然而,如果目录不存在,将不会添加通配符,并且访问将限制在 /home/test/files。如果你想允许访问尚不存在的文件夹,请确保明确包含通配符:/my-path/folder-do-not-exist/*

🌐 When the permission model is initialized, it will automatically add a wildcard (*) if the specified directory exists. For example, if /home/test/files exists, it will be treated as /home/test/files/*. However, if the directory does not exist, the wildcard will not be added, and access will be limited to /home/test/files. If you want to allow access to a folder that does not exist yet, make sure to explicitly include the wildcard: /my-path/folder-do-not-exist/*.