Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

permission: handle end nodes with children cases #48531

Merged
merged 1 commit into from
Jun 25, 2023

Conversation

RafaelGSS
Copy link
Member

@RafaelGSS RafaelGSS commented Jun 23, 2023

When two paths overlaps, the permission model returns a false negative cause the Node* doesn't contain an empty child ("") to consider it as an end node. For instance, if you call --allow-fs-read=/home/index.js,/home/index.json and call process.permission.has for both paths, it will return false for the index.js since it will create the following radix tree:

Child /
  Prefix: /home/index.js
  Child o
    Prefix: on
    End of tree: on
  End of tree(c): /home/index.js
End of tree(c):

and if you invert the parameters order: --allow-fs-read=/home/index.json,/home/index.js it will create an empty child for "/home/index.js" indicating "end node".

To handle it I've included a new parameter to Node*: is_leaf.

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. labels Jun 23, 2023
src/permission/fs_permission.h Show resolved Hide resolved
src/permission/fs_permission.h Outdated Show resolved Hide resolved
src/permission/fs_permission.h Outdated Show resolved Hide resolved
@RafaelGSS RafaelGSS force-pushed the fix-leaf-node-perm-model branch from d301f50 to 394d0ea Compare June 23, 2023 19:47
@RafaelGSS RafaelGSS added the request-ci Add this label to start a Jenkins CI on a PR. label Jun 23, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Jun 23, 2023
@nodejs-github-bot
Copy link
Collaborator

@anonrig anonrig added the author ready PRs that have at least one approval, no pending requests for changes, and a CI started. label Jun 24, 2023
@RafaelGSS RafaelGSS added the commit-queue Add this label to land a pull request using GitHub Actions. label Jun 25, 2023
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Jun 25, 2023
@nodejs-github-bot nodejs-github-bot merged commit b38bc9f into nodejs:main Jun 25, 2023
@nodejs-github-bot
Copy link
Collaborator

Landed in b38bc9f

RafaelGSS added a commit that referenced this pull request Jul 3, 2023
PR-URL: #48531
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Juan José Arboleda <[email protected]>
@RafaelGSS RafaelGSS mentioned this pull request Jul 3, 2023
@tniessen tniessen added the permission Issues and PRs related to the Permission Model label Aug 10, 2023
Ceres6 pushed a commit to Ceres6/node that referenced this pull request Aug 14, 2023
PR-URL: nodejs#48531
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Juan José Arboleda <[email protected]>
Ceres6 pushed a commit to Ceres6/node that referenced this pull request Aug 14, 2023
PR-URL: nodejs#48531
Reviewed-By: Yagiz Nizipli <[email protected]>
Reviewed-By: Juan José Arboleda <[email protected]>
@ruyadorno
Copy link
Member

This commit does not land cleanly on v18.x-staging and will need manual backport in case we want it in v18.

@ruyadorno ruyadorno added the backport-requested-v18.x PRs awaiting manual backport to the v18.x-staging branch. label Sep 10, 2023
@RafaelGSS RafaelGSS added dont-land-on-v16.x dont-land-on-v18.x PRs that should not land on the v18.x-staging branch and should not be released in v18.x. and removed backport-requested-v18.x PRs awaiting manual backport to the v18.x-staging branch. labels Sep 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
author ready PRs that have at least one approval, no pending requests for changes, and a CI started. c++ Issues and PRs that require attention from people who are familiar with C++. dont-land-on-v18.x PRs that should not land on the v18.x-staging branch and should not be released in v18.x. needs-ci PRs that need a full CI run. permission Issues and PRs related to the Permission Model
Projects
None yet
Development

Successfully merging this pull request may close these issues.

6 participants