From ceca668658c5b24736d7d653ffa24ebc5ed740e1 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Thu, 9 Mar 2023 13:21:01 -0300 Subject: [PATCH] permission: add path separator to loader check --- lib/internal/modules/cjs/loader.js | 2 +- test/fixtures/permission/loader/index.js | 3 +++ test/parallel/test-cli-permission-deny-fs.js | 23 +++++++++++++++++++- 3 files changed, 26 insertions(+), 2 deletions(-) create mode 100644 test/fixtures/permission/loader/index.js diff --git a/lib/internal/modules/cjs/loader.js b/lib/internal/modules/cjs/loader.js index 0727c8d2cffad3..a864ee94056bd4 100644 --- a/lib/internal/modules/cjs/loader.js +++ b/lib/internal/modules/cjs/loader.js @@ -423,7 +423,7 @@ function readPackageScope(checkPath) { checkPath = StringPrototypeSlice(checkPath, 0, separatorIndex); // Stop the search when the process doesn't have permissions // to walk upwards - if (enabledPermission && !permission.has('fs.read', checkPath)) { + if (enabledPermission && !permission.has('fs.read', checkPath + sep)) { return false; } if (StringPrototypeEndsWith(checkPath, sep + 'node_modules')) diff --git a/test/fixtures/permission/loader/index.js b/test/fixtures/permission/loader/index.js new file mode 100644 index 00000000000000..d0bb5ebde606e8 --- /dev/null +++ b/test/fixtures/permission/loader/index.js @@ -0,0 +1,3 @@ +const fs = require('node:fs'); + +fs.readFile('/etc/passwd', () => {}); diff --git a/test/parallel/test-cli-permission-deny-fs.js b/test/parallel/test-cli-permission-deny-fs.js index 6af6ba40788175..9bdbe4fd8c7244 100644 --- a/test/parallel/test-cli-permission-deny-fs.js +++ b/test/parallel/test-cli-permission-deny-fs.js @@ -1,9 +1,12 @@ 'use strict'; -require('../common'); +const common = require('../common'); + +const fixtures = require('../common/fixtures'); const { spawnSync } = require('child_process'); const assert = require('assert'); const fs = require('fs'); +const path = require('path'); { const { status, stdout } = spawnSync( @@ -126,3 +129,21 @@ const fs = require('fs'); assert.strictEqual(status, 1); assert.ok(!fs.existsSync('permission-deny-example.md')); } + +{ + const firstPath = path.sep + process.cwd().split(path.sep, 2)[1]; + if (firstPath.startsWith('/etc')) { + common.skip('/etc as firstPath'); + } + const file = fixtures.path('permission', 'loader', 'index.js'); + const { status, stderr } = spawnSync( + process.execPath, + [ + '--experimental-permission', + `--allow-fs-read=${firstPath}`, + file, + ] + ); + assert.match(stderr.toString(), /resource:\s+'\/etc\/passwd'/); + assert.strictEqual(status, 1); +}