Skip to content

support insecure-algorithms manifest permissions flag #3967

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
Julusian merged 5 commits into from
Feb 18, 2026
+41 −30
Merged

support insecure-algorithms manifest permissions flag #3967

Changes from all commits
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
6a23a01
support insecure-algorithms manifest permissions flag
phillipivan Feb 16, 2026
a77edd8
Rework order of operations in getNodeJsPermissionArguments method
phillipivan Feb 17, 2026
4d9bfb9
slightly tweak order / formatting
phillipivan Feb 17, 2026
5566e84
Merge branch 'main' into main
Julusian Feb 18, 2026
945c65e
wip: reorder
Julusian Feb 18, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
71 changes: 41 additions & 30 deletions companion/lib/Instance/NodePath.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,7 @@ import fs from 'fs-extra'
import { isPackaged } from '../Resources/Util.js'
import path from 'path'
import { doesModuleSupportPermissionsModel } from './Connection/ApiVersions.js'
import type { SomeModuleManifest } from '@companion-app/shared/Model/ModuleManifest.js'
import type { ModuleManifestExt, SomeModuleManifest } from '@companion-app/shared/Model/ModuleManifest.js'
import { createRequire } from 'module'

/**
Expand Down Expand Up @@ -37,42 +37,53 @@ export function getNodeJsPermissionArguments(
moduleDir: string,
enableInspect: boolean
): string[] {
const args: string[] = []

// Not supported by surfaces
if (manifest.type === 'surface') return []
if (manifest.type === 'surface') return args

// Not supported by node18
if (enableInspect || manifest.runtime.type === 'node18' || !doesModuleSupportPermissionsModel(moduleApiVersion))
return []
// Check module api is new enough
if (!doesModuleSupportPermissionsModel(moduleApiVersion)) return args

const args = [
'--no-warnings=SecurityWarning',
'--permission',
// Always allow read access to the module source directory
`--allow-fs-read=${moduleDir}`,
`--allow-fs-read=${isPackaged() ? import.meta.dirname : path.join(import.meta.dirname, '../../..')}`, // Allow read access to companion code, because of some esm loader issues
]
const manifestPermissions: ModuleManifestExt['runtime']['permissions'] = manifest.runtime.permissions || {}

if (!isPackaged()) {
// Always allow read access to module host package, needed when running a dev version
const require = createRequire(import.meta.url)
args.push(`--allow-fs-read=${path.join(path.dirname(require.resolve('@companion-module/host')), '../../..')}`)
}
if (manifestPermissions['insecure-algorithms']) args.push('--openssl-legacy-provider')

let forceReadWriteAll = false
if (process.platform === 'win32' && moduleDir.startsWith('\\\\')) {
// This is a network path, which nodejs does not support for the permissions model
forceReadWriteAll = true
}
// Node18 is more limited in supported arguments
if (manifest.runtime.type === 'node18') return args

args.push('--use-system-ca')

if (!enableInspect) {
args.push(
'--no-warnings=SecurityWarning',
'--permission',
// Always allow read access to the module source directory
`--allow-fs-read=${moduleDir}`,
`--allow-fs-read=${isPackaged() ? import.meta.dirname : path.join(import.meta.dirname, '../../..')}` // Allow read access to companion code, because of some esm loader issues
)

if (!isPackaged()) {
// Always allow read access to module host package, needed when running a dev version
const require = createRequire(import.meta.url)
args.push(`--allow-fs-read=${path.join(path.dirname(require.resolve('@companion-module/host')), '../../..')}`)
}

let forceReadWriteAll = false
if (process.platform === 'win32' && moduleDir.startsWith('\\\\')) {
// This is a network path, which nodejs does not support for the permissions model
forceReadWriteAll = true
}

const manifestPermissions = manifest.runtime.permissions || {}
if (manifestPermissions['worker-threads']) args.push('--allow-worker')
if (manifestPermissions['child-process'] || manifestPermissions['native-addons']) args.push('--allow-child-process')
if (manifestPermissions['native-addons']) args.push('--allow-addons')
if (manifestPermissions['native-addons'] || manifestPermissions['filesystem'] || forceReadWriteAll) {
// Note: Using native addons usually means probing random filesystem paths to check the current platform
if (manifestPermissions['worker-threads']) args.push('--allow-worker')
if (manifestPermissions['child-process'] || manifestPermissions['native-addons']) args.push('--allow-child-process')
if (manifestPermissions['native-addons']) args.push('--allow-addons')
if (manifestPermissions['native-addons'] || manifestPermissions['filesystem'] || forceReadWriteAll) {
// Note: Using native addons usually means probing random filesystem paths to check the current platform

// Future: This should be scoped to some limited directories as specified by the user in the connection settings
args.push('--allow-fs-read=*', '--allow-fs-write=*')
// Future: This should be scoped to some limited directories as specified by the user in the connection settings
args.push('--allow-fs-read=*', '--allow-fs-write=*')
}
}

return args
Expand Down