permission: handle fs.watchFile

PR-URL: https://github.com/nodejs-private/node-private/pull/404 Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1966499 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> CVE-ID: CVE-2023-30582
2023-05-06 15:03:23 -03:00 · 2023-05-06 15:03:23 -03:00 · 56b1a0fca4
parent b607b74a4f
commit 56b1a0fca4
2 changed files with 16 additions and 0 deletions
--- a/src/node_stat_watcher.cc
+++ b/src/node_stat_watcher.cc
@ -25,6 +25,7 @@
 #include "memory_tracker-inl.h"
 #include "node_external_reference.h"
 #include "node_file-inl.h"
+#include "permission/permission.h"
 #include "util-inl.h"

 #include <cstring>
@ -111,6 +112,10 @@ void StatWatcher::Start(const FunctionCallbackInfo<Value>& args) {

  node::Utf8Value path(args.GetIsolate(), args[0]);
  CHECK_NOT_NULL(*path);
+  THROW_IF_INSUFFICIENT_PERMISSIONS(
+      wrap->env(),
+      permission::PermissionScope::kFileSystemRead,
+      path.ToStringView());

  CHECK(args[1]->IsUint32());
  const uint32_t interval = args[1].As<Uint32>()->Value();
--- a/test/fixtures/permission/fs-read.js
+++ b/test/fixtures/permission/fs-read.js
@ -228,6 +228,17 @@ const regularFile = __filename;
  });
 }

+// fs.watchFile
+{
+  assert.throws(() => {
+    fs.watchFile(blockedFile, common.mustNotCall());
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemRead',
+    resource: path.toNamespacedPath(blockedFile),
+  }));
+}
+
 // fs.rename
 {
  assert.throws(() => {