Skip to content

Commit 1f64147

Browse files
RafaelGSSRafaelGSS
committed
permission: handle buffer path on fs calls
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2038134 PR-URL: nodejs-private/node-private#439
1 parent 4aa0eff commit 1f64147

File tree

2 files changed

+31
-1
lines changed

2 files changed

+31
-1
lines changed

lib/internal/fs/utils.js

+2
Original file line numberDiff line numberDiff line change
@@ -712,6 +712,8 @@ function possiblyTransformPath(path) {
712712
if (permission.isEnabled()) {
713713
if (typeof path === 'string') {
714714
return pathModule.resolve(path);
715+
} else if (Buffer.isBuffer(path)) {
716+
return Buffer.from(pathModule.resolve(path.toString()));
715717
}
716718
}
717719
return path;

test/fixtures/permission/fs-traversal.js

+29-1
Original file line numberDiff line numberDiff line change
@@ -8,7 +8,9 @@ const path = require('path');
88

99
const blockedFolder = process.env.BLOCKEDFOLDER;
1010
const allowedFolder = process.env.ALLOWEDFOLDER;
11-
const traversalPath = allowedFolder + '../file.md'
11+
const traversalPath = allowedFolder + '../file.md';
12+
const traversalFolderPath = allowedFolder + '../folder';
13+
const bufferTraversalPath = Buffer.from(allowedFolder + '../file.md');
1214

1315
{
1416
assert.ok(process.permission.has('fs.read', allowedFolder));
@@ -41,7 +43,33 @@ const traversalPath = allowedFolder + '../file.md'
4143
}));
4244
}
4345

46+
{
47+
assert.throws(() => {
48+
fs.mkdtempSync(traversalFolderPath, (error) => {
49+
assert.ifError(error);
50+
});
51+
}, common.expectsError({
52+
code: 'ERR_ACCESS_DENIED',
53+
permission: 'FileSystemWrite',
54+
resource: path.toNamespacedPath(path.resolve(traversalFolderPath + 'XXXXXX')),
55+
}));
56+
}
57+
58+
{
59+
assert.throws(() => {
60+
fs.readFile(bufferTraversalPath, (error) => {
61+
assert.ifError(error);
62+
});
63+
}, common.expectsError({
64+
code: 'ERR_ACCESS_DENIED',
65+
permission: 'FileSystemRead',
66+
resource: path.resolve(traversalPath),
67+
}));
68+
}
69+
4470
{
4571
assert.ok(!process.permission.has('fs.read', traversalPath));
4672
assert.ok(!process.permission.has('fs.write', traversalPath));
73+
assert.ok(!process.permission.has('fs.read', traversalFolderPath));
74+
assert.ok(!process.permission.has('fs.write', traversalFolderPath));
4775
}

0 commit comments

Comments
 (0)