permission: handle buffer path on fs calls

Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2038134 PR-URL: nodejs-private/node-private#439
tniessen · Aug 9, 2023 · 1f64147 · 1f64147
1 parent 4aa0eff
commit 1f64147
Show file tree

Hide file tree

Showing 2 changed files with 31 additions and 1 deletion.
diff --git a/lib/internal/fs/utils.js b/lib/internal/fs/utils.js
@@ -712,6 +712,8 @@ function possiblyTransformPath(path) {
   if (permission.isEnabled()) {
     if (typeof path === 'string') {
       return pathModule.resolve(path);
+    } else if (Buffer.isBuffer(path)) {
+      return Buffer.from(pathModule.resolve(path.toString()));
     }
   }
   return path;

diff --git a/test/fixtures/permission/fs-traversal.js b/test/fixtures/permission/fs-traversal.js
@@ -8,7 +8,9 @@ const path = require('path');
 
 const blockedFolder = process.env.BLOCKEDFOLDER;
 const allowedFolder = process.env.ALLOWEDFOLDER;
-const traversalPath = allowedFolder + '../file.md'
+const traversalPath = allowedFolder + '../file.md';
+const traversalFolderPath = allowedFolder + '../folder';
+const bufferTraversalPath = Buffer.from(allowedFolder + '../file.md');
 
 {
   assert.ok(process.permission.has('fs.read', allowedFolder));
@@ -41,7 +43,33 @@ const traversalPath = allowedFolder + '../file.md'
   }));
 }
 
+{
+  assert.throws(() => {
+    fs.mkdtempSync(traversalFolderPath, (error) => {
+      assert.ifError(error);
+    });
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemWrite',
+    resource: path.toNamespacedPath(path.resolve(traversalFolderPath + 'XXXXXX')),
+  }));
+}
+
+{
+  assert.throws(() => {
+    fs.readFile(bufferTraversalPath, (error) => {
+      assert.ifError(error);
+    });
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemRead',
+    resource: path.resolve(traversalPath),
+  }));
+}
+
 {
   assert.ok(!process.permission.has('fs.read', traversalPath));
   assert.ok(!process.permission.has('fs.write', traversalPath));
+  assert.ok(!process.permission.has('fs.read', traversalFolderPath));
+  assert.ok(!process.permission.has('fs.write', traversalFolderPath));
 }