permission: add path separator to loader check

RafaelGSS · web-flow · commit 1726da93000b · 2023-03-15T14:27:26.000Z
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: #47030 Reviewed-By: Geoffrey Booth <webadmin@geoffreybooth.com> Reviewed-By: Benjamin Gruenbaum <benjamingr@gmail.com> Reviewed-By: Paolo Insogna <paolo@cowtech.it> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com>
diff --git a/lib/internal/modules/cjs/loader.js b/lib/internal/modules/cjs/loader.js
@@ -423,7 +423,7 @@ function readPackageScope(checkPath) {
     checkPath = StringPrototypeSlice(checkPath, 0, separatorIndex);
     // Stop the search when the process doesn't have permissions
     // to walk upwards
-    if (enabledPermission && !permission.has('fs.read', checkPath)) {
+    if (enabledPermission && !permission.has('fs.read', checkPath + sep)) {
       return false;
     }
     if (StringPrototypeEndsWith(checkPath, sep + 'node_modules'))
diff --git a/test/fixtures/permission/loader/index.js b/test/fixtures/permission/loader/index.js
@@ -0,0 +1,3 @@
+const fs = require('node:fs');
+
+fs.readFile('/etc/passwd', () => {});
diff --git a/test/parallel/test-cli-permission-deny-fs.js b/test/parallel/test-cli-permission-deny-fs.js
@@ -1,9 +1,12 @@
 'use strict';
 
-require('../common');
+const common = require('../common');
+
+const fixtures = require('../common/fixtures');
 const { spawnSync } = require('child_process');
 const assert = require('assert');
 const fs = require('fs');
+const path = require('path');
 
 {
   const { status, stdout } = spawnSync(
@@ -126,3 +129,23 @@ const fs = require('fs');
   assert.strictEqual(status, 1);
   assert.ok(!fs.existsSync('permission-deny-example.md'));
 }
+
+{
+  const { root } = path.parse(process.cwd());
+  const abs = (p) => path.join(root, p);
+  const firstPath = abs(path.sep + process.cwd().split(path.sep, 2)[1]);
+  if (firstPath.startsWith('/etc')) {
+    common.skip('/etc as firstPath');
+  }
+  const file = fixtures.path('permission', 'loader', 'index.js');
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      `--allow-fs-read=${firstPath}`,
+      file,
+    ]
+  );
+  assert.match(stderr.toString(), /resource: '.*?[\\/](?:etc|passwd)'/);
+  assert.strictEqual(status, 1);
+}

Original file line number	Diff line number	Diff line change
`@@ -423,7 +423,7 @@ function readPackageScope(checkPath) {`
`423`	`423`	`checkPath = StringPrototypeSlice(checkPath, 0, separatorIndex);`
`424`	`424`	`// Stop the search when the process doesn't have permissions`
`425`	`425`	`// to walk upwards`
`426`		`- if (enabledPermission && !permission.has('fs.read', checkPath)) {`
	`426`	`+ if (enabledPermission && !permission.has('fs.read', checkPath + sep)) {`
`427`	`427`	`return false;`
`428`	`428`	`}`
`429`	`429`	`if (StringPrototypeEndsWith(checkPath, sep + 'node_modules'))`
Original file line number	Diff line number	Diff line change
`@@ -0,0 +1,3 @@`
	`1`	`+const fs = require('node:fs');`
	`2`	`+`
	`3`	`+fs.readFile('/etc/passwd', () => {});`