permission: handle fs.watchFile

PR-URL: nodejs-private/node-private#404
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1966499
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2023-30582

Author: RafaelGSS

src/node_stat_watcher.cc

@@ -25,6 +25,7 @@
 #include "memory_tracker-inl.h"
 #include "node_external_reference.h"
 #include "node_file-inl.h"
+#include "permission/permission.h"
 #include "util-inl.h"
 
 #include <cstring>
@@ -111,6 +112,10 @@ void StatWatcher::Start(const FunctionCallbackInfo<Value>& args) {
 
   node::Utf8Value path(args.GetIsolate(), args[0]);
   CHECK_NOT_NULL(*path);
+  THROW_IF_INSUFFICIENT_PERMISSIONS(
+      wrap->env(),
+      permission::PermissionScope::kFileSystemRead,
+      path.ToStringView());
 
   CHECK(args[1]->IsUint32());
   const uint32_t interval = args[1].As<Uint32>()->Value();

test/fixtures/permission/fs-read.js

@@ -228,6 +228,17 @@ const regularFile = __filename;
   });
 }
 
+// fs.watchFile
+{
+  assert.throws(() => {
+    fs.watchFile(blockedFile, common.mustNotCall());
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemRead',
+    resource: path.toNamespacedPath(blockedFile),
+  }));
+}
+
 // fs.rename
 {
   assert.throws(() => {