Skip to content

Commit e9f395e

Browse files
RafaelGSSRafaelGSS
committed
lib: use cache fs internals against path traversal
PR-URL: nodejs-private/node-private#516 Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=2259914 Reviewed-By: Moshe Atlow <[email protected]> CVE-ID: CVE-2024-21891
1 parent 9052ef4 commit e9f395e

File tree

2 files changed

+28
-2
lines changed

2 files changed

+28
-2
lines changed

lib/internal/process/pre_execution.js

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -11,6 +11,7 @@ const {
1111
DatePrototypeGetSeconds,
1212
NumberParseInt,
1313
ObjectDefineProperty,
14+
ObjectFreeze,
1415
ObjectGetOwnPropertyDescriptor,
1516
SafeMap,
1617
String,
@@ -573,6 +574,8 @@ function initializePermission() {
573574
process.binding = function binding(_module) {
574575
throw new ERR_ACCESS_DENIED('process.binding');
575576
};
577+
// Guarantee path module isn't monkey-patched to bypass permission model
578+
ObjectFreeze(require('path'));
576579
process.emitWarning('Permission is an experimental feature',
577580
'ExperimentalWarning');
578581
const { has, deny } = require('internal/process/permission');

test/fixtures/permission/fs-traversal.js

Lines changed: 25 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,9 +6,12 @@ const assert = require('assert');
66
const fs = require('fs');
77
const path = require('path');
88

9-
// This should not affect how the permission model resolves paths.
109
const { resolve } = path;
11-
path.resolve = (s) => s;
10+
// This should not affect how the permission model resolves paths.
11+
try {
12+
path.resolve = (s) => s;
13+
assert.fail('should not be called');
14+
} catch {}
1215

1316
const blockedFolder = process.env.BLOCKEDFOLDER;
1417
const allowedFolder = process.env.ALLOWEDFOLDER;
@@ -96,6 +99,26 @@ const uint8ArrayTraversalPath = new TextEncoder().encode(traversalPath);
9699
}));
97100
}
98101

102+
// Monkey-patching path module should also not allow path traversal.
103+
{
104+
const fs = require('fs');
105+
const path = require('path');
106+
107+
const cwd = Buffer.from('.');
108+
try {
109+
path.toNamespacedPath = (path) => { return traversalPath; };
110+
assert.fail('should throw error when pacthing');
111+
} catch { }
112+
113+
assert.throws(() => {
114+
fs.readFile(cwd, common.mustNotCall());
115+
}, common.expectsError({
116+
code: 'ERR_ACCESS_DENIED',
117+
permission: 'FileSystemRead',
118+
resource: resolve(cwd.toString()),
119+
}));
120+
}
121+
99122
// Monkey-patching Buffer internals should also not allow path traversal.
100123
{
101124
const extraChars = '.'.repeat(40);

0 commit comments

Comments
 (0)