src,permission: resolve path on fs_permission

Signed-off-by: RafaelGSS <[email protected]>
PR-URL: #52761
Reviewed-By: Marco Ippolito <[email protected]>
Reviewed-By: Rich Trott <[email protected]>

Author: RafaelGSS

doc/api/permissions.md

@@ -583,8 +583,6 @@ There are constraints you need to know before using this system:
 
 #### Limitations and Known Issues
 
-* When the permission model is enabled, Node.js may resolve some paths
-  differently than when it is disabled.
 * Symbolic links will be followed even to locations outside of the set of paths
   that access has been granted to. Relative symbolic links may allow access to
   arbitrary files and directories. When starting applications with the

lib/internal/fs/utils.js

@@ -24,11 +24,8 @@ const {
   Symbol,
   TypedArrayPrototypeAt,
   TypedArrayPrototypeIncludes,
-  uncurryThis,
 } = primordials;
 
-const permission = require('internal/process/permission');
-
 const { Buffer } = require('buffer');
 const {
   UVException,
@@ -68,8 +65,6 @@ const kType = Symbol('type');
 const kStats = Symbol('stats');
 const assert = require('internal/assert');
 
-const { encodeUtf8String } = internalBinding('encoding_binding');
-
 const {
   fs: {
     F_OK = 0,
@@ -736,31 +731,10 @@ const validatePath = hideStackFrames((path, propName = 'path') => {
   );
 });
 
-// TODO(rafaelgss): implement the path.resolve on C++ side
-// See: https://github.com/nodejs/node/pull/44004#discussion_r930958420
-// The permission model needs the absolute path for the fs_permission
-const resolvePath = pathModule.resolve;
-const { isBuffer: BufferIsBuffer, from: BufferFrom } = Buffer;
-const BufferToString = uncurryThis(Buffer.prototype.toString);
-function possiblyTransformPath(path) {
-  if (permission.isEnabled()) {
-    if (typeof path === 'string') {
-      return resolvePath(path);
-    }
-    assert(isUint8Array(path));
-    if (!BufferIsBuffer(path)) path = BufferFrom(path);
-    // Avoid Buffer.from() and use a C++ binding instead to encode the result
-    // of path.resolve() in order to prevent path traversal attacks that
-    // monkey-patch Buffer internals.
-    return encodeUtf8String(resolvePath(BufferToString(path)));
-  }
-  return path;
-}
-
 const getValidatedPath = hideStackFrames((fileURLOrPath, propName = 'path') => {
   const path = toPathIfFileURL(fileURLOrPath);
   validatePath(path, propName);
-  return possiblyTransformPath(path);
+  return path;
 });
 
 const getValidatedFd = hideStackFrames((fd, propName = 'fd') => {
@@ -994,7 +968,6 @@ module.exports = {
   getValidatedFd,
   getValidatedPath,
   handleErrorFromBinding,
-  possiblyTransformPath,
   preprocessSymlinkDestination,
   realpathCacheKey: Symbol('realpathCacheKey'),
   getStatFsFromBinding,

src/compile_cache.cc

@@ -354,15 +354,15 @@ bool CompileCacheHandler::InitializeDirectory(Environment* env,
         cache_dir);
 
   if (UNLIKELY(!env->permission()->is_granted(
-          permission::PermissionScope::kFileSystemWrite, cache_dir))) {
+          env, permission::PermissionScope::kFileSystemWrite, cache_dir))) {
     Debug("[compile cache] skipping cache because write permission for %s "
           "is not granted\n",
           cache_dir);
     return false;
   }
 
   if (UNLIKELY(!env->permission()->is_granted(
-          permission::PermissionScope::kFileSystemRead, cache_dir))) {
+          env, permission::PermissionScope::kFileSystemRead, cache_dir))) {
     Debug("[compile cache] skipping cache because read permission for %s "
           "is not granted\n",
           cache_dir);

src/node_modules.cc

@@ -308,6 +308,7 @@ const BindingData::PackageConfig* BindingData::TraverseParent(
     // to walk upwards
     if (UNLIKELY(is_permissions_enabled &&
                  !env->permission()->is_granted(
+                     env,
                      permission::PermissionScope::kFileSystemRead,
                      std::string(check_path) + kPathSeparator))) {
       return nullptr;

src/node_worker.cc

@@ -89,7 +89,7 @@ Worker::Worker(Environment* env,
   // Without this check, to use the permission model with
   // workers (--allow-worker) one would need to pass --allow-inspector as well
   if (env->permission()->is_granted(
-          node::permission::PermissionScope::kInspector)) {
+          env, node::permission::PermissionScope::kInspector)) {
     inspector_parent_handle_ =
         GetInspectorParentHandle(env, thread_id_, url.c_str(), name.c_str());
   }

src/permission/child_process_permission.cc

@@ -15,7 +15,8 @@ void ChildProcessPermission::Apply(Environment* env,
   deny_all_ = true;
 }
 
-bool ChildProcessPermission::is_granted(PermissionScope perm,
+bool ChildProcessPermission::is_granted(Environment* env,
+                                        PermissionScope perm,
                                         const std::string_view& param) const {
   return deny_all_ == false;
 }

src/permission/child_process_permission.h

@@ -15,7 +15,8 @@ class ChildProcessPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
-  bool is_granted(PermissionScope perm,
+  bool is_granted(Environment* env,
+                  PermissionScope perm,
                   const std::string_view& param = "") const override;
 
  private:

src/permission/fs_permission.cc

@@ -1,6 +1,7 @@
 #include "fs_permission.h"
 #include "base_object-inl.h"
 #include "debug_utils-inl.h"
+#include "env.h"
 #include "path.h"
 #include "v8.h"
 
@@ -51,21 +52,23 @@ void FreeRecursivelyNode(
 }
 
 bool is_tree_granted(
+    node::Environment* env,
     const node::permission::FSPermission::RadixTree* granted_tree,
     const std::string_view& param) {
+  std::string resolved_param = node::PathResolve(env, {param});
 #ifdef _WIN32
   // is UNC file path
-  if (param.rfind("\\\\", 0) == 0) {
+  if (resolved_param.rfind("\\\\", 0) == 0) {
     // return lookup with normalized param
     size_t starting_pos = 4;  // "\\?\"
-    if (param.rfind("\\\\?\\UNC\\") == 0) {
+    if (resolved_param.rfind("\\\\?\\UNC\\") == 0) {
       starting_pos += 4;  // "UNC\"
     }
     auto normalized = param.substr(starting_pos);
     return granted_tree->Lookup(normalized, true);
   }
 #endif
-  return granted_tree->Lookup(param, true);
+  return granted_tree->Lookup(resolved_param, true);
 }
 
 void PrintTree(const node::permission::FSPermission::RadixTree::Node* node,
@@ -146,19 +149,20 @@ void FSPermission::GrantAccess(PermissionScope perm, const std::string& res) {
   }
 }
 
-bool FSPermission::is_granted(PermissionScope perm,
+bool FSPermission::is_granted(Environment* env,
+                              PermissionScope perm,
                               const std::string_view& param = "") const {
   switch (perm) {
     case PermissionScope::kFileSystem:
       return allow_all_in_ && allow_all_out_;
     case PermissionScope::kFileSystemRead:
       return !deny_all_in_ &&
              ((param.empty() && allow_all_in_) || allow_all_in_ ||
-              is_tree_granted(&granted_in_fs_, param));
+              is_tree_granted(env, &granted_in_fs_, param));
     case PermissionScope::kFileSystemWrite:
       return !deny_all_out_ &&
              ((param.empty() && allow_all_out_) || allow_all_out_ ||
-              is_tree_granted(&granted_out_fs_, param));
+              is_tree_granted(env, &granted_out_fs_, param));
     default:
       return false;
   }

src/permission/fs_permission.h

@@ -18,7 +18,8 @@ class FSPermission final : public PermissionBase {
   void Apply(Environment* env,
              const std::vector<std::string>& allow,
              PermissionScope scope) override;
-  bool is_granted(PermissionScope perm,
+  bool is_granted(Environment* env,
+                  PermissionScope perm,
                   const std::string_view& param) const override;
 
   struct RadixTree {

src/permission/inspector_permission.cc

@@ -14,7 +14,8 @@ void InspectorPermission::Apply(Environment* env,
   deny_all_ = true;
 }
 
-bool InspectorPermission::is_granted(PermissionScope perm,
+bool InspectorPermission::is_granted(Environment* env,
+                                     PermissionScope perm,
                                      const std::string_view& param) const {
   return deny_all_ == false;
 }