permission: add --allow-env flag for environment variable access control

[nabeel378]

Adds --allow-env permission flag to control access to environment variables when the permission model is enabled (--permission).

Supported usage:

• --allow-env=* — grants access to all environment variables
• --allow-env=HOME,PATH — grants access only to specified variables

When --permission is enabled without --allow-env, reading a restricted variable silently returns undefined, writing or deleting throws ERR_ACCESS_DENIED, and enumerating (Object.keys(process.env)) returns only allowed variables.

Fixes: #62424

[nodejs-github-bot]

Review requested:

• @nodejs/config
• @nodejs/gyp
• @nodejs/security-wg

[codecov]

Codecov Report

❌ Patch coverage is 89.23077% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.53%. Comparing base (58a8e1d) to head (44aa875).
⚠️ Report is 36 commits behind head on main.

Files with missing lines	Patch %	Lines
src/node_env_var.cc	87.09%	0 Missing and 4 partials ⚠️
src/permission/env_var_permission.cc	85.00%	1 Missing and 2 partials ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main   #62827      +/-   ##
==========================================
- Coverage   89.69%   89.53%   -0.16%     
==========================================
  Files         706      708       +2     
  Lines      218222   219086     +864     
  Branches    41768    41914     +146     
==========================================
+ Hits       195731   196166     +435     
- Misses      14411    14796     +385     
- Partials     8080     8124      +44     

Files with missing lines	Coverage Δ
lib/internal/process/permission.js	83.87% <100.00%> (-16.13%)	⬇️
src/env.cc	85.28% <100.00%> (-0.18%)	⬇️
src/node_options.cc	76.63% <100.00%> (+0.12%)	⬆️
src/node_options.h	97.98% <100.00%> (ø)
src/permission/env_var_permission.h	100.00% <100.00%> (ø)
src/permission/permission.cc	81.92% <100.00%> (+0.33%)	⬆️
src/permission/permission.h	100.00% <ø> (ø)
src/permission/env_var_permission.cc	85.00% <85.00%> (ø)
src/node_env_var.cc	82.08% <87.09%> (-0.13%)	⬇️

... and 78 files with indirect coverage changes

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[thisalihassan]

This paragraph and the console block below it describe a deny-by-default model that the code does not implement

./out/Release/node --permission '--allow-fs-read=*' -p 'process.env.HOME'
/Users/thisalihassan

[nabeel378]

Good catch! You're right, env vars are unrestricted by default with --permission. They only get restricted when --allow-env is explicitly passed. Updated both cli.md and process.md with the correct description and working examples.

[thisalihassan]

As written, this output is unreachable

./out/Release/node --permission test.js
/Users/thisalihassan

[thisalihassan]

Same issue as cli.md

[thisalihassan]

I don't think this PR as it stands closes #62424, the issue asked for a deny-by-default model with throw-on-read, matching Deno and consistent with the rest of the permission model which doesn't defend against the threat the issue was explicitly motivated by

The PR description is no longer accurate according to the current opt-in model

[nabeel378]

I don't think this PR as it stands closes #62424, the issue asked for a deny-by-default model with throw-on-read, matching Deno and consistent with the rest of the permission model which doesn't defend against the threat the issue was explicitly motivated by

The PR description is no longer accurate according to the current opt-in model

I missed that. Switching to deny-by-default to stay consistent with the other permission flags and update desc proper.