From 1726da93000b31cc3d15a1eecd0c90b1f1694654 Mon Sep 17 00:00:00 2001 From: Rafael Gonzaga Date: Wed, 15 Mar 2023 11:27:26 -0300 Subject: [PATCH] permission: add path separator to loader check Signed-off-by: RafaelGSS PR-URL: https://github.com/nodejs/node/pull/47030 Reviewed-By: Geoffrey Booth Reviewed-By: Benjamin Gruenbaum Reviewed-By: Paolo Insogna Reviewed-By: Marco Ippolito --- lib/internal/modules/cjs/loader.js | 2 +- test/fixtures/permission/loader/index.js | 3 +++ test/parallel/test-cli-permission-deny-fs.js | 25 +++++++++++++++++++- 3 files changed, 28 insertions(+), 2 deletions(-) create mode 100644 test/fixtures/permission/loader/index.js diff --git a/lib/internal/modules/cjs/loader.js b/lib/internal/modules/cjs/loader.js index 0727c8d2cffad3..a864ee94056bd4 100644 --- a/lib/internal/modules/cjs/loader.js +++ b/lib/internal/modules/cjs/loader.js @@ -423,7 +423,7 @@ function readPackageScope(checkPath) { checkPath = StringPrototypeSlice(checkPath, 0, separatorIndex); // Stop the search when the process doesn't have permissions // to walk upwards - if (enabledPermission && !permission.has('fs.read', checkPath)) { + if (enabledPermission && !permission.has('fs.read', checkPath + sep)) { return false; } if (StringPrototypeEndsWith(checkPath, sep + 'node_modules')) diff --git a/test/fixtures/permission/loader/index.js b/test/fixtures/permission/loader/index.js new file mode 100644 index 00000000000000..d0bb5ebde606e8 --- /dev/null +++ b/test/fixtures/permission/loader/index.js @@ -0,0 +1,3 @@ +const fs = require('node:fs'); + +fs.readFile('/etc/passwd', () => {}); diff --git a/test/parallel/test-cli-permission-deny-fs.js b/test/parallel/test-cli-permission-deny-fs.js index 6af6ba40788175..927d582094cd41 100644 --- a/test/parallel/test-cli-permission-deny-fs.js +++ b/test/parallel/test-cli-permission-deny-fs.js @@ -1,9 +1,12 @@ 'use strict'; -require('../common'); +const common = require('../common'); + +const fixtures = require('../common/fixtures'); const { spawnSync } = require('child_process'); const assert = require('assert'); const fs = require('fs'); +const path = require('path'); { const { status, stdout } = spawnSync( @@ -126,3 +129,23 @@ const fs = require('fs'); assert.strictEqual(status, 1); assert.ok(!fs.existsSync('permission-deny-example.md')); } + +{ + const { root } = path.parse(process.cwd()); + const abs = (p) => path.join(root, p); + const firstPath = abs(path.sep + process.cwd().split(path.sep, 2)[1]); + if (firstPath.startsWith('/etc')) { + common.skip('/etc as firstPath'); + } + const file = fixtures.path('permission', 'loader', 'index.js'); + const { status, stderr } = spawnSync( + process.execPath, + [ + '--experimental-permission', + `--allow-fs-read=${firstPath}`, + file, + ] + ); + assert.match(stderr.toString(), /resource: '.*?[\\/](?:etc|passwd)'/); + assert.strictEqual(status, 1); +}