From 56b1a0fca49645133e4cb09d734684bfe883d6d2 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Sat, 6 May 2023 15:03:23 -0300 Subject: [PATCH] permission: handle fs.watchFile MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit PR-URL: https://github.com/nodejs-private/node-private/pull/404 Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1966499 Reviewed-By: Colin Ihrig Reviewed-By: Tobias Nießen Reviewed-By: Matteo Collina CVE-ID: CVE-2023-30582 --- src/node_stat_watcher.cc | 5 +++++ test/fixtures/permission/fs-read.js | 11 +++++++++++ 2 files changed, 16 insertions(+) diff --git a/src/node_stat_watcher.cc b/src/node_stat_watcher.cc index 79a0b7ed996..2d1e5002f7f 100644 --- a/src/node_stat_watcher.cc +++ b/src/node_stat_watcher.cc @@ -25,6 +25,7 @@ #include "memory_tracker-inl.h" #include "node_external_reference.h" #include "node_file-inl.h" +#include "permission/permission.h" #include "util-inl.h" #include @@ -111,6 +112,10 @@ void StatWatcher::Start(const FunctionCallbackInfo& args) { node::Utf8Value path(args.GetIsolate(), args[0]); CHECK_NOT_NULL(*path); + THROW_IF_INSUFFICIENT_PERMISSIONS( + wrap->env(), + permission::PermissionScope::kFileSystemRead, + path.ToStringView()); CHECK(args[1]->IsUint32()); const uint32_t interval = args[1].As()->Value(); diff --git a/test/fixtures/permission/fs-read.js b/test/fixtures/permission/fs-read.js index 2c032329686..d89e9e4a873 100644 --- a/test/fixtures/permission/fs-read.js +++ b/test/fixtures/permission/fs-read.js @@ -228,6 +228,17 @@ const regularFile = __filename; }); } +// fs.watchFile +{ + assert.throws(() => { + fs.watchFile(blockedFile, common.mustNotCall()); + }, common.expectsError({ + code: 'ERR_ACCESS_DENIED', + permission: 'FileSystemRead', + resource: path.toNamespacedPath(blockedFile), + })); +} + // fs.rename { assert.throws(() => {