From 41d0d74734ede018548a7c2faf0d45e70a91b801 Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Mon, 6 Mar 2023 13:45:07 -0300
Subject: [PATCH] permission: fix spawnSync permission check

---
 src/spawn_sync.cc                              |  2 ++
 .../test-permission-deny-child-process-cli.js  | 18 ++++++++++++++++++
 .../test-permission-deny-child-process.js      | 18 ++++++++++++++++++
 3 files changed, 38 insertions(+)

diff --git a/src/spawn_sync.cc b/src/spawn_sync.cc
index ae4a85a42d6166f..b3c0fabafdaad25 100644
--- a/src/spawn_sync.cc
+++ b/src/spawn_sync.cc
@@ -369,6 +369,8 @@ void SyncProcessRunner::Initialize(Local<Object> target,
 
 void SyncProcessRunner::Spawn(const FunctionCallbackInfo<Value>& args) {
   Environment* env = Environment::GetCurrent(args);
+  THROW_IF_INSUFFICIENT_PERMISSIONS(
+      env, permission::PermissionScope::kChildProcess, "");
   env->PrintSyncTrace();
   SyncProcessRunner p(env);
   Local<Value> result;
diff --git a/test/parallel/test-permission-deny-child-process-cli.js b/test/parallel/test-permission-deny-child-process-cli.js
index 7f15cacd0d2a3af..3ce473ab498e0ef 100644
--- a/test/parallel/test-permission-deny-child-process-cli.js
+++ b/test/parallel/test-permission-deny-child-process-cli.js
@@ -24,12 +24,24 @@ if (process.argv[2] === 'child') {
     code: 'ERR_ACCESS_DENIED',
     permission: 'ChildProcess',
   }));
+  assert.throws(() => {
+    childProcess.spawnSync(process.execPath, ['--version']);
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'ChildProcess',
+  }));
   assert.throws(() => {
     childProcess.exec(process.execPath, ['--version']);
   }, common.expectsError({
     code: 'ERR_ACCESS_DENIED',
     permission: 'ChildProcess',
   }));
+  assert.throws(() => {
+    childProcess.execSync(process.execPath, ['--version']);
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'ChildProcess',
+  }));
   assert.throws(() => {
     childProcess.fork(__filename, ['child']);
   }, common.expectsError({
@@ -42,4 +54,10 @@ if (process.argv[2] === 'child') {
     code: 'ERR_ACCESS_DENIED',
     permission: 'ChildProcess',
   }));
+  assert.throws(() => {
+    childProcess.execFileSync(process.execPath, ['--version']);
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'ChildProcess',
+  }));
 }
diff --git a/test/parallel/test-permission-deny-child-process.js b/test/parallel/test-permission-deny-child-process.js
index 36c0e9da86fc1f6..7dbd9beb089e2b4 100644
--- a/test/parallel/test-permission-deny-child-process.js
+++ b/test/parallel/test-permission-deny-child-process.js
@@ -31,12 +31,24 @@ if (process.argv[2] === 'child') {
     code: 'ERR_ACCESS_DENIED',
     permission: 'ChildProcess',
   }));
+  assert.throws(() => {
+    childProcess.spawnSync(process.execPath, ['--version']);
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'ChildProcess',
+  }));
   assert.throws(() => {
     childProcess.exec(process.execPath, ['--version']);
   }, common.expectsError({
     code: 'ERR_ACCESS_DENIED',
     permission: 'ChildProcess',
   }));
+  assert.throws(() => {
+    childProcess.execSync(process.execPath, ['--version']);
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'ChildProcess',
+  }));
   assert.throws(() => {
     childProcess.fork(__filename, ['child']);
   }, common.expectsError({
@@ -49,4 +61,10 @@ if (process.argv[2] === 'child') {
     code: 'ERR_ACCESS_DENIED',
     permission: 'ChildProcess',
   }));
+  assert.throws(() => {
+    childProcess.execFileSync(process.execPath, ['--version']);
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'ChildProcess',
+  }));
 }