Skip to content

Commit ebc5927

Browse files
committed
permission: handle fs.openAsBlob
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1966492 PR-URL: nodejs-private/node-private#405 Reviewed-By: Tobias Nießen <tniessen@tnie.de> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Matteo Collina <matteo.collina@gmail.com> CVE-ID: CVE-2023-30583
1 parent dac08da commit ebc5927

File tree

3 files changed

+18
-1
lines changed

3 files changed

+18
-1
lines changed

lib/fs.js

Lines changed: 2 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -604,7 +604,8 @@ function openAsBlob(path, options = kEmptyObject) {
604604
// The underlying implementation here returns the Blob synchronously for now.
605605
// To give ourselves flexibility to maybe return the Blob asynchronously,
606606
// this API returns a Promise.
607-
return PromiseResolve(createBlobFromFilePath(getValidatedPath(path), { type }));
607+
path = getValidatedPath(path);
608+
return PromiseResolve(createBlobFromFilePath(pathModule.toNamespacedPath(path), { type }));
608609
}
609610

610611
/**

src/node_blob.cc

Lines changed: 5 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,7 @@
88
#include "node_errors.h"
99
#include "node_external_reference.h"
1010
#include "node_file.h"
11+
#include "permission/permission.h"
1112
#include "util.h"
1213
#include "v8.h"
1314

@@ -85,6 +86,10 @@ void Concat(const FunctionCallbackInfo<Value>& args) {
8586

8687
void BlobFromFilePath(const FunctionCallbackInfo<Value>& args) {
8788
Environment* env = Environment::GetCurrent(args);
89+
BufferValue path(env->isolate(), args[0]);
90+
CHECK_NOT_NULL(*path);
91+
THROW_IF_INSUFFICIENT_PERMISSIONS(
92+
env, permission::PermissionScope::kFileSystemRead, path.ToStringView());
8893
auto entry = DataQueue::CreateFdEntry(env, args[0]);
8994
if (entry == nullptr) {
9095
return THROW_ERR_INVALID_ARG_VALUE(env, "Unabled to open file as blob");

test/fixtures/permission/fs-read.js

Lines changed: 11 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -249,3 +249,14 @@ const regularFile = __filename;
249249
resource: path.toNamespacedPath(blockedFile),
250250
}));
251251
}
252+
253+
// fs.openAsBlob
254+
{
255+
assert.throws(() => {
256+
fs.openAsBlob(blockedFile);
257+
}, common.expectsError({
258+
code: 'ERR_ACCESS_DENIED',
259+
permission: 'FileSystemRead',
260+
resource: path.toNamespacedPath(blockedFile),
261+
}));
262+
}

0 commit comments

Comments
 (0)