From 98a83a67e6e2c6b7f46ccedff327755e51d6ccc7 Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Wed, 28 Jun 2023 16:18:00 -0300
Subject: [PATCH] permission: ensure to resolve path when calling mkdtemp
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

PR-URL: https://github.com/nodejs-private/node-private/pull/464
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2037887
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
---
 lib/fs.js                                |  2 ++
 test/fixtures/permission/fs-traversal.js | 16 ++++++++++++++--
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/lib/fs.js b/lib/fs.js
index 3f4a6163ba3f65..ddef598126ae16 100644
--- a/lib/fs.js
+++ b/lib/fs.js
@@ -2916,6 +2916,7 @@ function mkdtemp(prefix, options, callback) {
 
   validateString(prefix, 'prefix');
   nullCheck(prefix, 'prefix');
+  prefix = getValidatedPath(prefix, 'prefix');
   warnOnNonPortableTemplate(prefix);
   const req = new FSReqCallback();
   req.oncomplete = callback;
@@ -2933,6 +2934,7 @@ function mkdtempSync(prefix, options) {
 
   validateString(prefix, 'prefix');
   nullCheck(prefix, 'prefix');
+  prefix = getValidatedPath(prefix, 'prefix');
   warnOnNonPortableTemplate(prefix);
   const path = `${prefix}XXXXXX`;
   const ctx = { path };
diff --git a/test/fixtures/permission/fs-traversal.js b/test/fixtures/permission/fs-traversal.js
index 288c00e537d271..2c35fb90ed6c1a 100644
--- a/test/fixtures/permission/fs-traversal.js
+++ b/test/fixtures/permission/fs-traversal.js
@@ -51,7 +51,19 @@ const bufferTraversalPath = Buffer.from(allowedFolder + '../file.md');
   }, common.expectsError({
     code: 'ERR_ACCESS_DENIED',
     permission: 'FileSystemWrite',
-    resource: path.toNamespacedPath(path.resolve(traversalFolderPath + 'XXXXXX')),
+    resource: path.resolve(traversalFolderPath + 'XXXXXX'),
+  }));
+}
+
+{
+  assert.throws(() => {
+    fs.mkdtemp(traversalFolderPath, (error) => {
+      assert.ifError(error);
+    });
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemWrite',
+    resource: path.resolve(traversalFolderPath + 'XXXXXX'),
   }));
 }
 
@@ -72,4 +84,4 @@ const bufferTraversalPath = Buffer.from(allowedFolder + '../file.md');
   assert.ok(!process.permission.has('fs.write', traversalPath));
   assert.ok(!process.permission.has('fs.read', traversalFolderPath));
   assert.ok(!process.permission.has('fs.write', traversalFolderPath));
-}
\ No newline at end of file
+}