fixup! src,permission: add --allow-net permission

Author: RafaelGSS

doc/api/cli.md

@@ -289,7 +289,7 @@ req.on('error', (err) => {
 ```
 
 ```console
-$ node --permission --allow-fs-read=./index.js index.js
+$ node --permission index.js
 Error: connect ERR_ACCESS_DENIED Access to this API has been restricted. Use --allow-net to manage permissions.
   code: 'ERR_ACCESS_DENIED',
 }

src/cares_wrap.cc

@@ -1943,11 +1943,17 @@ void GetNameInfo(const FunctionCallbackInfo<Value>& args) {
       TRACING_CATEGORY_NODE2(dns, native), "lookupService", req_wrap.get(),
       "ip", TRACE_STR_COPY(*ip), "port", port);
 
-  // TODO: check?
-  int err = req_wrap->Dispatch(uv_getnameinfo,
-                               AfterGetNameInfo,
-                               reinterpret_cast<struct sockaddr*>(&addr),
-                               NI_NAMEREQD);
+  int err = 0;
+  if (!env->permission()->is_granted(
+        env, permission::PermissionScope::kNet, ip.ToStringView())) [[unlikely]] {
+    req_wrap->InsufficientPermissionError(*ip);
+  } else {
+    err = req_wrap->Dispatch(uv_getnameinfo,
+        AfterGetNameInfo,
+        reinterpret_cast<struct sockaddr*>(&addr),
+        NI_NAMEREQD);
+  }
+
   if (err == 0)
     // Release ownership of the pointer allowing the ownership to be transferred
     USE(req_wrap.release());
@@ -1965,6 +1971,7 @@ void GetServers(const FunctionCallbackInfo<Value>& args) {
 
   ares_addr_port_node* servers;
 
+  // TODO: check
   int r = ares_get_servers_ports(channel->cares_channel(), &servers);
   CHECK_EQ(r, ARES_SUCCESS);
   auto cleanup = OnScopeLeave([&]() { ares_free_data(servers); });
@@ -2009,6 +2016,7 @@ void SetServers(const FunctionCallbackInfo<Value>& args) {
 
   uint32_t len = arr->Length();
 
+  // TODO: check
   if (len == 0) {
     int rv = ares_set_servers(channel->cares_channel(), nullptr);
     return args.GetReturnValue().Set(rv);

src/cares_wrap.h

@@ -215,6 +215,17 @@ class GetNameInfoReqWrap final : public ReqWrap<uv_getnameinfo_t> {
  public:
   GetNameInfoReqWrap(Environment* env, v8::Local<v8::Object> req_wrap_obj);
 
+  void InsufficientPermissionError(std::string resource) {
+    v8::HandleScope handle_scope(env()->isolate());
+    v8::Context::Scope context_scope(env()->context());
+    v8::Local<v8::Value> arg;
+    if (!permission::CreateAccessDeniedError(env(), permission::PermissionScope::kNet, resource)
+        .ToLocal(&arg)) {
+      // TODO: handle error?
+    }
+    MakeCallback(env()->oncomplete_string(), 1, &arg);
+  }
+
   SET_NO_MEMORY_INFO()
   SET_MEMORY_INFO_NAME(GetNameInfoReqWrap)
   SET_SELF_SIZE(GetNameInfoReqWrap)

test/parallel/test-permission-net-dns.js

@@ -77,3 +77,16 @@ const { Resolver } = dns.promises;
     assert.strictEqual(err.code, 'ERR_ACCESS_DENIED');
   }));
 }
+
+{
+  dns.lookupService('127.0.0.1', 80, common.mustCall((err) => {
+    assert.strictEqual(err.code, 'ERR_ACCESS_DENIED');
+  }));
+
+  dns.lookupService('8.8.8.8', 80, common.mustCall((err) => {
+    assert.strictEqual(err.code, 'ERR_ACCESS_DENIED');
+  }));
+  dns.promises.lookupService('127.0.0.1', 80).catch(common.mustCall((err) => {
+    assert.strictEqual(err.code, 'ERR_ACCESS_DENIED');
+  }));
+}