Skip to content

Commit 9357433

Browse files
RafaelGSSRafaelGSS
committed
lib,permission: disable fchmod/fchown when pm enabled
PR-URL: nodejs-private/node-private#584 Refs: https://hackerone.com/reports/2472071 CVE-ID: CVE-2024-36137
1 parent 5d9c811 commit 9357433

File tree

2 files changed

+43
-0
lines changed

2 files changed

+43
-0
lines changed

lib/fs.js

Lines changed: 15 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1873,6 +1873,11 @@ function fchmod(fd, mode, callback) {
18731873
mode = parseFileMode(mode, 'mode');
18741874
callback = makeCallback(callback);
18751875

1876+
if (permission.isEnabled()) {
1877+
callback(new ERR_ACCESS_DENIED('fchmod API is disabled when Permission Model is enabled.'));
1878+
return;
1879+
}
1880+
18761881
const req = new FSReqCallback();
18771882
req.oncomplete = callback;
18781883
binding.fchmod(fd, mode, req);
@@ -1885,6 +1890,9 @@ function fchmod(fd, mode, callback) {
18851890
* @returns {void}
18861891
*/
18871892
function fchmodSync(fd, mode) {
1893+
if (permission.isEnabled()) {
1894+
throw new ERR_ACCESS_DENIED('fchmod API is disabled when Permission Model is enabled.');
1895+
}
18881896
binding.fchmod(
18891897
fd,
18901898
parseFileMode(mode, 'mode'),
@@ -2010,6 +2018,10 @@ function fchown(fd, uid, gid, callback) {
20102018
validateInteger(uid, 'uid', -1, kMaxUserId);
20112019
validateInteger(gid, 'gid', -1, kMaxUserId);
20122020
callback = makeCallback(callback);
2021+
if (permission.isEnabled()) {
2022+
callback(new ERR_ACCESS_DENIED('fchown API is disabled when Permission Model is enabled.'));
2023+
return;
2024+
}
20132025

20142026
const req = new FSReqCallback();
20152027
req.oncomplete = callback;
@@ -2026,6 +2038,9 @@ function fchown(fd, uid, gid, callback) {
20262038
function fchownSync(fd, uid, gid) {
20272039
validateInteger(uid, 'uid', -1, kMaxUserId);
20282040
validateInteger(gid, 'gid', -1, kMaxUserId);
2041+
if (permission.isEnabled()) {
2042+
throw new ERR_ACCESS_DENIED('fchown API is disabled when Permission Model is enabled.');
2043+
}
20292044

20302045
binding.fchown(fd, uid, gid);
20312046
}

test/fixtures/permission/fs-write.js

Lines changed: 28 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -462,4 +462,32 @@ const relativeProtectedFolder = process.env.RELATIVEBLOCKEDFOLDER;
462462
permission: 'FileSystemWrite',
463463
resource: path.toNamespacedPath(blockedFile),
464464
});
465+
}
466+
467+
// fs.fchown with read-only fd
468+
{
469+
assert.throws(() => {
470+
// blocked file is allowed to read
471+
const fd = fs.openSync(blockedFile, 'r');
472+
fs.fchmod(fd, 777, common.expectsError({
473+
code: 'ERR_ACCESS_DENIED',
474+
}));
475+
fs.fchmodSync(fd, 777);
476+
}, {
477+
code: 'ERR_ACCESS_DENIED',
478+
});
479+
}
480+
481+
// fs.fchmod with read-only fd
482+
{
483+
assert.throws(() => {
484+
// blocked file is allowed to read
485+
const fd = fs.openSync(blockedFile, 'r');
486+
fs.fchown(fd, 999, 999, common.expectsError({
487+
code: 'ERR_ACCESS_DENIED',
488+
}));
489+
fs.fchownSync(fd, 999, 999);
490+
}, {
491+
code: 'ERR_ACCESS_DENIED',
492+
});
465493
}

0 commit comments

Comments
 (0)