lib,permission: disable fchmod/fchown when pm enabled

RafaelGSS · RafaelGSS · commit 01e9eac91234 · 2024-07-08T15:38:33.000-03:00
PR-URL: nodejs-private/node-private#584 Refs: https://hackerone.com/reports/2472071 CVE-ID: CVE-2024-36137
diff --git a/lib/fs.js b/lib/fs.js
@@ -1877,6 +1877,11 @@ function fchmod(fd, mode, callback) {
   mode = parseFileMode(mode, 'mode');
   callback = makeCallback(callback);
 
+  if (permission.isEnabled()) {
+    callback(new ERR_ACCESS_DENIED('fchmod API is disabled when Permission Model is enabled.'));
+    return;
+  }
+
   const req = new FSReqCallback();
   req.oncomplete = callback;
   binding.fchmod(fd, mode, req);
@@ -1889,6 +1894,9 @@ function fchmod(fd, mode, callback) {
  * @returns {void}
  */
 function fchmodSync(fd, mode) {
+  if (permission.isEnabled()) {
+    throw new ERR_ACCESS_DENIED('fchmod API is disabled when Permission Model is enabled.');
+  }
   binding.fchmod(
     fd,
     parseFileMode(mode, 'mode'),
@@ -2012,6 +2020,10 @@ function fchown(fd, uid, gid, callback) {
   validateInteger(uid, 'uid', -1, kMaxUserId);
   validateInteger(gid, 'gid', -1, kMaxUserId);
   callback = makeCallback(callback);
+  if (permission.isEnabled()) {
+    callback(new ERR_ACCESS_DENIED('fchown API is disabled when Permission Model is enabled.'));
+    return;
+  }
 
   const req = new FSReqCallback();
   req.oncomplete = callback;
@@ -2028,6 +2040,9 @@ function fchown(fd, uid, gid, callback) {
 function fchownSync(fd, uid, gid) {
   validateInteger(uid, 'uid', -1, kMaxUserId);
   validateInteger(gid, 'gid', -1, kMaxUserId);
+  if (permission.isEnabled()) {
+    throw new ERR_ACCESS_DENIED('fchown API is disabled when Permission Model is enabled.');
+  }
 
   binding.fchown(fd, uid, gid);
 }
diff --git a/test/fixtures/permission/fs-write.js b/test/fixtures/permission/fs-write.js
@@ -462,4 +462,32 @@ const relativeProtectedFolder = process.env.RELATIVEBLOCKEDFOLDER;
     permission: 'FileSystemWrite',
     resource: path.toNamespacedPath(blockedFile),
   });
+}
+
+// fs.fchown with read-only fd
+{
+  assert.throws(() => {
+    // blocked file is allowed to read
+    const fd = fs.openSync(blockedFile, 'r');
+    fs.fchmod(fd, 777, common.expectsError({
+      code: 'ERR_ACCESS_DENIED',
+    }));
+    fs.fchmodSync(fd, 777);
+  }, {
+    code: 'ERR_ACCESS_DENIED',
+  });
+}
+
+// fs.fchmod with read-only fd
+{
+  assert.throws(() => {
+    // blocked file is allowed to read
+    const fd = fs.openSync(blockedFile, 'r');
+    fs.fchown(fd, 999, 999, common.expectsError({
+      code: 'ERR_ACCESS_DENIED',
+    }));
+    fs.fchownSync(fd, 999, 999);
+  }, {
+    code: 'ERR_ACCESS_DENIED',
+  });
 }
