Skip to content

Commit

Permalink
permission: add path separator to loader check
Browse files Browse the repository at this point in the history
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: #47030
Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com>
Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com>
Reviewed-By: Paolo Insogna <paolo@cowtech.it>
Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
  • Loading branch information
RafaelGSS authored Mar 15, 2023
1 parent 0b328b2 commit 1726da9
Show file tree
Hide file tree
Showing 3 changed files with 28 additions and 2 deletions.
2 changes: 1 addition & 1 deletion lib/internal/modules/cjs/loader.js
Original file line number Diff line number Diff line change
Expand Up @@ -423,7 +423,7 @@ function readPackageScope(checkPath) {
checkPath = StringPrototypeSlice(checkPath, 0, separatorIndex);
// Stop the search when the process doesn't have permissions
// to walk upwards
if (enabledPermission && !permission.has('fs.read', checkPath)) {
if (enabledPermission && !permission.has('fs.read', checkPath + sep)) {
return false;
}
if (StringPrototypeEndsWith(checkPath, sep + 'node_modules'))
Expand Down
3 changes: 3 additions & 0 deletions test/fixtures/permission/loader/index.js
Original file line number Diff line number Diff line change
@@ -0,0 +1,3 @@
const fs = require('node:fs');

fs.readFile('/etc/passwd', () => {});
25 changes: 24 additions & 1 deletion test/parallel/test-cli-permission-deny-fs.js
Original file line number Diff line number Diff line change
@@ -1,9 +1,12 @@
'use strict';

require('../common');
const common = require('../common');

const fixtures = require('../common/fixtures');
const { spawnSync } = require('child_process');
const assert = require('assert');
const fs = require('fs');
const path = require('path');

{
const { status, stdout } = spawnSync(
Expand Down Expand Up @@ -126,3 +129,23 @@ const fs = require('fs');
assert.strictEqual(status, 1);
assert.ok(!fs.existsSync('permission-deny-example.md'));
}

{
const { root } = path.parse(process.cwd());
const abs = (p) => path.join(root, p);
const firstPath = abs(path.sep + process.cwd().split(path.sep, 2)[1]);
if (firstPath.startsWith('/etc')) {
common.skip('/etc as firstPath');
}
const file = fixtures.path('permission', 'loader', 'index.js');
const { status, stderr } = spawnSync(
process.execPath,
[
'--experimental-permission',
`--allow-fs-read=${firstPath}`,
file,
]
);
assert.match(stderr.toString(), /resource: '.*?[\\/](?:etc|passwd)'/);
assert.strictEqual(status, 1);
}

0 comments on commit 1726da9

Please sign in to comment.