mirrors/nodejs
mirrors/nodejs
0
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2024-11-21 21:19:50 +01:00
Code Issues Releases Activity

lib,permission: support Buffer to permission.has

Browse Source 
PR-URL: https://github.com/nodejs/node/pull/54104
Fixes: https://github.com/nodejs/node/issues/54100
Reviewed-By: Yagiz Nizipli <yagiz@nizipli.com>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
This commit is contained in:
Rafael Gonzaga 2024-08-03 13:46:57 -03:00 committed by GitHub
parent 492032f34c
commit 358ff748ea
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
5 changed files with 32 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
lib/fs.js
View File

@ -1546,7 +1546,8 @@ function lstat(path, options = { bigint: false }, callback) {
callback = makeStatsCallback(callback);
path = getValidatedPath(path);
if (permission.isEnabled() && !permission.has('fs.read', path)) {
callback(new ERR_ACCESS_DENIED('Access to this API has been restricted', 'FileSystemRead', path));
const resource = BufferIsBuffer(path) ? BufferToString(path) : path;
callback(new ERR_ACCESS_DENIED('Access to this API has been restricted', 'FileSystemRead', resource));
return;
}
@ -1623,7 +1624,8 @@ function fstatSync(fd, options = { bigint: false }) {
function lstatSync(path, options = { bigint: false, throwIfNoEntry: true }) {
path = getValidatedPath(path);
if (permission.isEnabled() && !permission.has('fs.read', path)) {
throw new ERR_ACCESS_DENIED('Access to this API has been restricted', 'FileSystemRead', path);
const resource = BufferIsBuffer(path) ? BufferToString(path) : path;
throw new ERR_ACCESS_DENIED('Access to this API has been restricted', 'FileSystemRead', resource);
}
const stats = binding.lstat(
getValidatedPath(path),

10
lib/internal/process/permission.js
View File

@ -5,7 +5,9 @@ const {
} = primordials;
const permission = internalBinding('permission');
const { validateString } = require('internal/validators');
const { validateString, validateBuffer } = require('internal/validators');
const { Buffer } = require('buffer');
const { isBuffer } = Buffer;
let experimentalPermission;
@ -22,7 +24,11 @@ module.exports = ObjectFreeze({
validateString(scope, 'scope');
if (reference != null) {
// TODO: add support for WHATWG URLs and Uint8Arrays.
validateString(reference, 'reference');
if (isBuffer(reference)) {
validateBuffer(reference, 'reference');
} else {
validateString(reference, 'reference');
}
}
return permission.has(scope, reference);

6
test/fixtures/permission/fs-read.js vendored
View File

@ -7,6 +7,7 @@ const fs = require('fs');
const path = require('path');
const blockedFile = process.env.BLOCKEDFILE;
const bufferBlockedFile = Buffer.from(process.env.BLOCKEDFILE);
const blockedFileURL = new URL('file://' + process.env.BLOCKEDFILE);
const blockedFolder = process.env.BLOCKEDFOLDER;
const allowedFolder = process.env.ALLOWEDFOLDER;
@ -408,6 +409,11 @@ const regularFile = __filename;
}, common.expectsError({
code: 'ERR_ACCESS_DENIED',
}));
assert.throws(() => {
fs.lstatSync(bufferBlockedFile);
}, common.expectsError({
code: 'ERR_ACCESS_DENIED',
}));
// doesNotThrow
fs.lstat(regularFile, (err) => {

10
test/fixtures/permission/fs-traversal.js vendored
View File

@ -69,6 +69,16 @@ const uint8ArrayTraversalPath = new TextEncoder().encode(traversalPath);
}));
}
{
fs.lstat(bufferTraversalPath, common.expectsError({
code: 'ERR_ACCESS_DENIED',
permission: 'FileSystemRead',
// lstat checks and throw on JS side.
// resource is only resolved on C++ (is_granted)
resource: bufferTraversalPath.toString(),
}));
}
{
fs.readFile(uint8ArrayTraversalPath, common.expectsError({
code: 'ERR_ACCESS_DENIED',

4
test/parallel/test-permission-has.js
View File

@ -21,3 +21,7 @@ const assert = require('assert');
message: 'The "reference" argument must be of type string. Received an instance of Object',
}));
}
{
assert.ok(!process.permission.has('FileSystemWrite', Buffer.from('reference')));
}