/
fs-traversal.js
104 lines (92 loc) Β· 2.69 KB
/
fs-traversal.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
'use strict'
const common = require('../../common');
const assert = require('assert');
const fs = require('fs');
const path = require('path');
// This should not affect how the permission model resolves paths.
const { resolve } = path;
path.resolve = (s) => s;
const blockedFolder = process.env.BLOCKEDFOLDER;
const allowedFolder = process.env.ALLOWEDFOLDER;
const traversalPath = allowedFolder + '../file.md';
const traversalFolderPath = allowedFolder + '../folder';
const bufferTraversalPath = Buffer.from(allowedFolder + '../file.md');
const uint8ArrayTraversalPath = new TextEncoder().encode(traversalPath);
{
assert.ok(process.permission.has('fs.read', allowedFolder));
assert.ok(process.permission.has('fs.write', allowedFolder));
assert.ok(!process.permission.has('fs.read', blockedFolder));
assert.ok(!process.permission.has('fs.write', blockedFolder));
}
{
assert.throws(() => {
fs.writeFile(traversalPath, 'test', (error) => {
assert.ifError(error);
});
}, common.expectsError({
code: 'ERR_ACCESS_DENIED',
permission: 'FileSystemWrite',
resource: path.toNamespacedPath(resolve(traversalPath)),
}));
}
{
assert.throws(() => {
fs.readFile(traversalPath, (error) => {
assert.ifError(error);
});
}, common.expectsError({
code: 'ERR_ACCESS_DENIED',
permission: 'FileSystemRead',
resource: path.toNamespacedPath(resolve(traversalPath)),
}));
}
{
assert.throws(() => {
fs.mkdtempSync(traversalFolderPath, (error) => {
assert.ifError(error);
});
}, common.expectsError({
code: 'ERR_ACCESS_DENIED',
permission: 'FileSystemWrite',
resource: resolve(traversalFolderPath + 'XXXXXX'),
}));
}
{
assert.throws(() => {
fs.mkdtemp(traversalFolderPath, (error) => {
assert.ifError(error);
});
}, common.expectsError({
code: 'ERR_ACCESS_DENIED',
permission: 'FileSystemWrite',
resource: resolve(traversalFolderPath + 'XXXXXX'),
}));
}
{
assert.throws(() => {
fs.readFile(bufferTraversalPath, (error) => {
assert.ifError(error);
});
}, common.expectsError({
code: 'ERR_ACCESS_DENIED',
permission: 'FileSystemRead',
resource: resolve(traversalPath),
}));
}
{
assert.throws(() => {
fs.readFile(uint8ArrayTraversalPath, (error) => {
assert.ifError(error);
});
}, common.expectsError({
code: 'ERR_ACCESS_DENIED',
permission: 'FileSystemRead',
resource: resolve(traversalPath),
}));
}
{
assert.ok(!process.permission.has('fs.read', traversalPath));
assert.ok(!process.permission.has('fs.write', traversalPath));
assert.ok(!process.permission.has('fs.read', traversalFolderPath));
assert.ok(!process.permission.has('fs.write', traversalFolderPath));
}