permission: disable FileHandle utimes with permission model

RafaelGSS · aduh95 · commit 7057c3f16cee · 2026-06-17T18:52:17.000+02:00
PR-URL: nodejs-private/node-private#873 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48935 Refs: https://hackerone.com/reports/3625987
diff --git a/lib/internal/fs/promises.js b/lib/internal/fs/promises.js
@@ -1802,6 +1802,9 @@ async function utimes(path, atime, mtime) {
 }
 
 async function futimes(handle, atime, mtime) {
+  if (permission.isEnabled()) {
+    throw new ERR_ACCESS_DENIED('futimes API is disabled when Permission Model is enabled.');
+  }
   atime = toUnixTimestamp(atime, 'atime');
   mtime = toUnixTimestamp(mtime, 'mtime');
   return await PromisePrototypeThen(
diff --git a/test/parallel/test-permission-fs-filehandle-utimes.js b/test/parallel/test-permission-fs-filehandle-utimes.js
@@ -0,0 +1,33 @@
+// Flags: --permission --allow-fs-read=*
+'use strict';
+
+const common = require('../common');
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+if (!common.hasCrypto) {
+  common.skip('no crypto');
+}
+
+const assert = require('assert');
+const { open } = require('fs/promises');
+const fixtures = require('../common/fixtures');
+
+const regularFile = fixtures.path('permission', 'deny', 'regular-file.md');
+
+// FileHandle.utimes() must be blocked when the permission model is enabled,
+// consistent with fs.futimes() / fs.futimesSync().
+(async () => {
+  const fh = await open(regularFile, 'r');
+  try {
+    await assert.rejects(
+      fh.utimes(Date.now(), Date.now()),
+      common.expectsError({ code: 'ERR_ACCESS_DENIED' }),
+    );
+  } finally {
+    await fh.close();
+  }
+})().then(common.mustCall());

Original file line number	Diff line number	Diff line change
`@@ -1802,6 +1802,9 @@ async function utimes(path, atime, mtime) {`
`1802`	`1802`	`}`
`1803`	`1803`
`1804`	`1804`	`async function futimes(handle, atime, mtime) {`
	`1805`	`+ if (permission.isEnabled()) {`
	`1806`	`+ throw new ERR_ACCESS_DENIED('futimes API is disabled when Permission Model is enabled.');`
	`1807`	`+ }`
`1805`	`1808`	`atime = toUnixTimestamp(atime, 'atime');`
`1806`	`1809`	`mtime = toUnixTimestamp(mtime, 'mtime');`
`1807`	`1810`	`return await PromisePrototypeThen(`