lib: disable futimes when permission model is enabled · nodejs/node@b4b887c · GitHub
Skip to content

Commit b4b887c

Browse files
committed
lib: disable futimes when permission model is enabled
Refs: https://hackerone.com/reports/3390084 PR-URL: nodejs-private/node-private#748 Reviewed-By: Matteo Collina <matteo.collina@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> CVE-ID: CVE-2025-55132
1 parent fc996fd commit b4b887c

3 files changed

Lines changed: 85 additions & 1 deletion

File tree

lib/fs.js

Lines changed: 24 additions & 0 deletions

test/fixtures/permission/fs-write.js

Lines changed: 45 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -584,3 +584,48 @@ const relativeProtectedFolder = process.env.RELATIVEBLOCKEDFOLDER;
584584
code: 'ERR_ACCESS_DENIED',
585585
});
586586
}
587+
588+
// fs.utimes with read-only fd
589+
{
590+
assert.throws(() => {
591+
// blocked file is allowed to read
592+
const fd = fs.openSync(blockedFile, 'r');
593+
const date = new Date();
594+
date.setFullYear(2100,0,1);
595+
596+
fs.futimes(fd, date, date, common.expectsError({
597+
code: 'ERR_ACCESS_DENIED',
598+
}));
599+
fs.futimesSync(fd, date, date);
600+
}, {
601+
code: 'ERR_ACCESS_DENIED',
602+
});
603+
}
604+
605+
// fs.fdatasync with read-only fd
606+
{
607+
assert.throws(() => {
608+
// blocked file is allowed to read
609+
const fd = fs.openSync(blockedFile, 'r');
610+
fs.fdatasync(fd, common.expectsError({
611+
code: 'ERR_ACCESS_DENIED',
612+
}));
613+
fs.fdatasyncSync(fd);
614+
}, {
615+
code: 'ERR_ACCESS_DENIED',
616+
});
617+
}
618+
619+
// fs.fsync with read-only fd
620+
{
621+
assert.throws(() => {
622+
// blocked file is allowed to read
623+
const fd = fs.openSync(blockedFile, 'r');
624+
fs.fsync(fd, common.expectsError({
625+
code: 'ERR_ACCESS_DENIED',
626+
}));
627+
fs.fsyncSync(fd);
628+
}, {
629+
code: 'ERR_ACCESS_DENIED',
630+
});
631+
}

test/parallel/test-permission-fs-supported.js

Lines changed: 16 additions & 1 deletion

0 commit comments

Comments
 (0)