permission: handle process.chdir on writereport

RafaelGSS · aduh95 · commit 6bc17a6b5156 · 2026-06-17T18:50:34.000+02:00
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: nodejs-private/node-private#870 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48617 Refs: https://hackerone.com/reports/3625987
diff --git a/lib/internal/process/report.js b/lib/internal/process/report.js
@@ -5,9 +5,11 @@ const {
 } = primordials;
 
 const {
+  ERR_ACCESS_DENIED,
   ERR_SYNTHETIC,
 } = require('internal/errors').codes;
 const { getValidatedPath } = require('internal/fs/utils');
+const permission = require('internal/process/permission');
 const {
   validateBoolean,
   validateObject,
@@ -26,6 +28,17 @@ const report = {
       file = getValidatedPath(file);
     }
 
+    if (permission.isEnabled()) {
+      const resource = file ?? process.cwd();
+      if (!permission.has('fs.write', resource)) {
+        throw new ERR_ACCESS_DENIED(
+          'Access to this API has been restricted',
+          'FileSystemWrite',
+          resource,
+        );
+      }
+    }
+
     if (err === undefined) {
       err = new ERR_SYNTHETIC();
     } else {
diff --git a/test/parallel/test-permission-fs-write-report.js b/test/parallel/test-permission-fs-write-report.js
@@ -1,7 +1,7 @@
-// Flags: --permission --allow-fs-read=*
 'use strict';
 
 const common = require('../common');
+const { spawnSyncAndExitWithoutError } = require('../common/child_process');
 const { isMainThread } = require('worker_threads');
 
 if (!isMainThread) {
@@ -12,7 +12,21 @@ if (!common.hasCrypto) {
   common.skip('no crypto');
 }
 
+// We need to define the flags dynamically to account for the `NODE_TEST_DIR` env var.
+if (!process.permission) {
+  spawnSyncAndExitWithoutError(process.execPath, [
+    '--permission',
+    '--allow-fs-read=*', `--allow-fs-write=${process.env.NODE_TEST_DIR || './test'}/.tmp.*`, '--allow-child-process',
+    __filename,
+  ]);
+  return;
+}
+
 const assert = require('assert');
+const path = require('path');
+const tmpdir = require('../common/tmpdir');
+
+tmpdir.refresh();
 
 {
   assert.throws(() => {
@@ -33,3 +47,29 @@ const assert = require('assert');
     resource: process.cwd(),
   }));
 }
+
+{
+  const reportPath = path.join(tmpdir.path, 'report.json');
+  spawnSyncAndExitWithoutError(
+    process.execPath,
+    [
+      '--permission',
+      '--allow-fs-read=*',
+      `--allow-fs-write=${tmpdir.path}/*`,
+      '-e',
+      `process.report.writeReport(${JSON.stringify(reportPath)})`,
+    ]
+  );
+}
+
+spawnSyncAndExitWithoutError(
+  process.execPath,
+  [
+    '--permission',
+    '--allow-fs-read=*',
+    `--allow-fs-write=${tmpdir.path}`,
+    '-e',
+    'process.report.writeReport()',
+  ],
+  { cwd: tmpdir.path }
+);
