Skip to content

Commit 6bc17a6

Browse files
RafaelGSSaduh95
RafaelGSS
authored and
aduh95
committed
permission: handle process.chdir on writereport
Signed-off-by: RafaelGSS <[email protected]> PR-URL: nodejs-private/node-private#870 Reviewed-By: Antoine du Hamel <[email protected]> CVE-ID: CVE-2026-48617 Refs: https://hackerone.com/reports/3625987
1 parent 9308084 commit 6bc17a6

2 files changed

Lines changed: 54 additions & 1 deletion

File tree

lib/internal/process/report.js

Lines changed: 13 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -5,9 +5,11 @@ const {
55
} = primordials;
66

77
const {
8+
ERR_ACCESS_DENIED,
89
ERR_SYNTHETIC,
910
} = require('internal/errors').codes;
1011
const { getValidatedPath } = require('internal/fs/utils');
12+
const permission = require('internal/process/permission');
1113
const {
1214
validateBoolean,
1315
validateObject,
@@ -26,6 +28,17 @@ const report = {
2628
file = getValidatedPath(file);
2729
}
2830

31+
if (permission.isEnabled()) {
32+
const resource = file ?? process.cwd();
33+
if (!permission.has('fs.write', resource)) {
34+
throw new ERR_ACCESS_DENIED(
35+
'Access to this API has been restricted',
36+
'FileSystemWrite',
37+
resource,
38+
);
39+
}
40+
}
41+
2942
if (err === undefined) {
3043
err = new ERR_SYNTHETIC();
3144
} else {

test/parallel/test-permission-fs-write-report.js

Lines changed: 41 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1,7 +1,7 @@
1-
// Flags: --permission --allow-fs-read=*
21
'use strict';
32

43
const common = require('../common');
4+
const { spawnSyncAndExitWithoutError } = require('../common/child_process');
55
const { isMainThread } = require('worker_threads');
66

77
if (!isMainThread) {
@@ -12,7 +12,21 @@ if (!common.hasCrypto) {
1212
common.skip('no crypto');
1313
}
1414

15+
// We need to define the flags dynamically to account for the `NODE_TEST_DIR` env var.
16+
if (!process.permission) {
17+
spawnSyncAndExitWithoutError(process.execPath, [
18+
'--permission',
19+
'--allow-fs-read=*', `--allow-fs-write=${process.env.NODE_TEST_DIR || './test'}/.tmp.*`, '--allow-child-process',
20+
__filename,
21+
]);
22+
return;
23+
}
24+
1525
const assert = require('assert');
26+
const path = require('path');
27+
const tmpdir = require('../common/tmpdir');
28+
29+
tmpdir.refresh();
1630

1731
{
1832
assert.throws(() => {
@@ -33,3 +47,29 @@ const assert = require('assert');
3347
resource: process.cwd(),
3448
}));
3549
}
50+
51+
{
52+
const reportPath = path.join(tmpdir.path, 'report.json');
53+
spawnSyncAndExitWithoutError(
54+
process.execPath,
55+
[
56+
'--permission',
57+
'--allow-fs-read=*',
58+
`--allow-fs-write=${tmpdir.path}/*`,
59+
'-e',
60+
`process.report.writeReport(${JSON.stringify(reportPath)})`,
61+
]
62+
);
63+
}
64+
65+
spawnSyncAndExitWithoutError(
66+
process.execPath,
67+
[
68+
'--permission',
69+
'--allow-fs-read=*',
70+
`--allow-fs-write=${tmpdir.path}`,
71+
'-e',
72+
'process.report.writeReport()',
73+
],
74+
{ cwd: tmpdir.path }
75+
);

0 commit comments

Comments
 (0)