From 5d9c8116348e7834b145b874b9de5e691e4f0935 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Mon, 22 Apr 2024 18:45:13 -0300 Subject: [PATCH] src,permission: fix UNC path resolution PR-URL: https://github.com/nodejs-private/node-private/pull/581 Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=2079103 CVE-ID: CVE-2024-37372 --- src/permission/fs_permission.cc | 21 +++++++++++-------- .../test-permission-fs-windows-path.js | 9 ++++++++ 2 files changed, 21 insertions(+), 9 deletions(-) diff --git a/src/permission/fs_permission.cc b/src/permission/fs_permission.cc index ced07e26b94ef2..757b42b23a2d71 100644 --- a/src/permission/fs_permission.cc +++ b/src/permission/fs_permission.cc @@ -57,15 +57,18 @@ bool is_tree_granted( const std::string_view& param) { std::string resolved_param = node::PathResolve(env, {param}); #ifdef _WIN32 - // is UNC file path - if (resolved_param.rfind("\\\\", 0) == 0) { - // return lookup with normalized param - size_t starting_pos = 4; // "\\?\" - if (resolved_param.rfind("\\\\?\\UNC\\") == 0) { - starting_pos += 4; // "UNC\" - } - auto normalized = param.substr(starting_pos); - return granted_tree->Lookup(normalized, true); + // Remove leading "\\?\" from UNC path + if (resolved_param.substr(0, 4) == "\\\\?\\") { + resolved_param.erase(0, 4); + } + + // Remove leading "UNC\" from UNC path + if (resolved_param.substr(0, 4) == "UNC\\") { + resolved_param.erase(0, 4); + } + // Remove leading "//" from UNC path + if (resolved_param.substr(0, 2) == "//") { + resolved_param.erase(0, 2); } #endif return granted_tree->Lookup(resolved_param, true); diff --git a/test/parallel/test-permission-fs-windows-path.js b/test/parallel/test-permission-fs-windows-path.js index b64cef12b47c18..552f8e1c21694b 100644 --- a/test/parallel/test-permission-fs-windows-path.js +++ b/test/parallel/test-permission-fs-windows-path.js @@ -38,3 +38,12 @@ if (!common.isWindows) { assert.strictEqual(stdout.toString(), 'true\n', stderr.toString()); assert.strictEqual(status, 0); } + +{ + const { stdout, status, stderr } = spawnSync(process.execPath, [ + '--experimental-permission', '--allow-fs-write', 'C:\\*', '-e', + "console.log(process.permission.has('fs.write', '\\\\\\\\A\\\\C:\\Users'))", + ]); + assert.strictEqual(stdout.toString(), 'false\n', stderr.toString()); + assert.strictEqual(status, 0); +}