diff --git a/src/node_stat_watcher.cc b/src/node_stat_watcher.cc index 79a0b7ed996..2d1e5002f7f 100644 --- a/src/node_stat_watcher.cc +++ b/src/node_stat_watcher.cc @@ -25,6 +25,7 @@ #include "memory_tracker-inl.h" #include "node_external_reference.h" #include "node_file-inl.h" +#include "permission/permission.h" #include "util-inl.h" #include @@ -111,6 +112,10 @@ void StatWatcher::Start(const FunctionCallbackInfo& args) { node::Utf8Value path(args.GetIsolate(), args[0]); CHECK_NOT_NULL(*path); + THROW_IF_INSUFFICIENT_PERMISSIONS( + wrap->env(), + permission::PermissionScope::kFileSystemRead, + path.ToStringView()); CHECK(args[1]->IsUint32()); const uint32_t interval = args[1].As()->Value(); diff --git a/test/fixtures/permission/fs-read.js b/test/fixtures/permission/fs-read.js index 2c032329686..d89e9e4a873 100644 --- a/test/fixtures/permission/fs-read.js +++ b/test/fixtures/permission/fs-read.js @@ -228,6 +228,17 @@ const regularFile = __filename; }); } +// fs.watchFile +{ + assert.throws(() => { + fs.watchFile(blockedFile, common.mustNotCall()); + }, common.expectsError({ + code: 'ERR_ACCESS_DENIED', + permission: 'FileSystemRead', + resource: path.toNamespacedPath(blockedFile), + })); +} + // fs.rename { assert.throws(() => {