permission: handle fs.openAsBlob

Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1966492
PR-URL: nodejs-private/node-private#405
Reviewed-By: Tobias Nießen <tniessen@tnie.de>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2023-30583

Author: RafaelGSS

lib/fs.js

@@ -604,7 +604,8 @@ function openAsBlob(path, options = kEmptyObject) {
   // The underlying implementation here returns the Blob synchronously for now.
   // To give ourselves flexibility to maybe return the Blob asynchronously,
   // this API returns a Promise.
-  return PromiseResolve(createBlobFromFilePath(getValidatedPath(path), { type }));
+  path = getValidatedPath(path);
+  return PromiseResolve(createBlobFromFilePath(pathModule.toNamespacedPath(path), { type }));
 }
 
 /**

src/node_blob.cc

@@ -8,6 +8,7 @@
 #include "node_errors.h"
 #include "node_external_reference.h"
 #include "node_file.h"
+#include "permission/permission.h"
 #include "util.h"
 #include "v8.h"
 
@@ -85,6 +86,10 @@ void Concat(const FunctionCallbackInfo<Value>& args) {
 
 void BlobFromFilePath(const FunctionCallbackInfo<Value>& args) {
   Environment* env = Environment::GetCurrent(args);
+  BufferValue path(env->isolate(), args[0]);
+  CHECK_NOT_NULL(*path);
+  THROW_IF_INSUFFICIENT_PERMISSIONS(
+      env, permission::PermissionScope::kFileSystemRead, path.ToStringView());
   auto entry = DataQueue::CreateFdEntry(env, args[0]);
   if (entry == nullptr) {
     return THROW_ERR_INVALID_ARG_VALUE(env, "Unabled to open file as blob");

test/fixtures/permission/fs-read.js

@@ -249,3 +249,14 @@ const regularFile = __filename;
     resource: path.toNamespacedPath(blockedFile),
   }));
 }
+
+// fs.openAsBlob
+{
+  assert.throws(() => {
+    fs.openAsBlob(blockedFile);
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemRead',
+    resource: path.toNamespacedPath(blockedFile),
+  }));
+}