permission: handle fs.watchFile

PR-URL: nodejs-private/node-private#404 Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1966499 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> CVE-ID: CVE-2023-30582
nodejs · Jun 20, 2023 · 56b1a0f · 56b1a0f
1 parent b607b74
commit 56b1a0f
Show file tree

Hide file tree

Showing 2 changed files with 16 additions and 0 deletions.
diff --git a/src/node_stat_watcher.cc b/src/node_stat_watcher.cc
@@ -25,6 +25,7 @@
 #include "memory_tracker-inl.h"
 #include "node_external_reference.h"
 #include "node_file-inl.h"
+#include "permission/permission.h"
 #include "util-inl.h"
 
 #include <cstring>
@@ -111,6 +112,10 @@ void StatWatcher::Start(const FunctionCallbackInfo<Value>& args) {
 
   node::Utf8Value path(args.GetIsolate(), args[0]);
   CHECK_NOT_NULL(*path);
+  THROW_IF_INSUFFICIENT_PERMISSIONS(
+      wrap->env(),
+      permission::PermissionScope::kFileSystemRead,
+      path.ToStringView());
 
   CHECK(args[1]->IsUint32());
   const uint32_t interval = args[1].As<Uint32>()->Value();

diff --git a/test/fixtures/permission/fs-read.js b/test/fixtures/permission/fs-read.js
@@ -228,6 +228,17 @@ const regularFile = __filename;
   });
 }
 
+// fs.watchFile
+{
+  assert.throws(() => {
+    fs.watchFile(blockedFile, common.mustNotCall());
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemRead',
+    resource: path.toNamespacedPath(blockedFile),
+  }));
+}
+
 // fs.rename
 {
   assert.throws(() => {