permission: add kNet check to Open() in TCPWrap/PipeWrap/UDPWrap

[Haruna38]

Add THROW_IF_INSUFFICIENT_PERMISSIONS(kNet) to Open() in TCPWrap, PipeWrap, and UDPWrap.

Every other method on these classes that enables network I/O: Bind, Listen, Connect, DoSend, which already checks kNet. Open() is the only method that adopts a file descriptor into a libuv network handle without one, breaking the otherwise uniform gate across the API surface.

The permission model documentation (doc/api/permissions.md) explicitly states that "using existing file descriptors via the node:fs module bypasses the Permission Model." This carve-out is scoped to node:fs, it does not extend to node:net or node:dgram. Wrapping a fd into a net.Socket or dgram.Socket via these Open() methods is a network API operation and should be subject to kNet like every sibling method in the same classes.

This aligns Open() with the checks added in 462c741 (--allow-net initial implementation), 59c86b1 (PipeWrap Bind/Listen), and 1d2686d (PipeWrap Connect).

[nodejs-github-bot]

Review requested:

• @nodejs/net

[mcollina]

lgtm

[mcollina]

Thanks for opening a PR! Can you please add a unit test?

[Haruna38]

Sure thing, please give me a moment.

[Haruna38]

@mcollina while writing the test case, the failing CI caught my attention: this patch breaks stdio under the permission model. When a process runs with --permission but without --allow-net and its stdout/stderr/stdin is a pipe or TCP socket (as in any spawned child), bootstrap crashes:

node:net:432
    err = this._handle.open(fd);
          ^
Error: Access to this API has been restricted. Use --allow-net to manage permissions.
    at new Socket (node:net:432:24)
    at createWritableStdioStream (node:internal/bootstrap/switches/is_main_thread.js)

createWritableStdioStream (and stdin setup) wrap the inherited stdio fd via new net.Socket({ fd }) --> net.js:432 open(fd), which now hits the kNet check. That's why test-compile-cache-api-permission, test-dotenv-node-options, test-config-file, test-cli-permission-* and others fail, since they crash before running. I suspect this is why Open() was left ungated originally (#58517), since it's also how Node adopts inherited stdio.

Before I update the patch, what's your opinion on the direction? My instinct is to keep the kNet check on Open() but exempt the standard stream fds (0/1/2), so stdio works while inheriting a network socket on fd >= 3 stays gated. Happy to scope it differently if you prefer. Please read the follow-up comment, there are more nuances to this problem.

[Haruna38]

After digging through more of the code, the current approach likely breaks fork() and cluster too, not just stdio, since _forkChild adopts the IPC channel with new Pipe(PipeConstants.IPC); p.open(fd), so the gate would block IPC setup under --permission.

So I'd like your opinion on direction: should we keep the hardening but allow internal invocations to bypass the gate (block user-facing open(), while letting Node's own stdio/IPC adoption through), or simply drop this PR? @mcollina