Skip to content

Commit

Permalink
src,permission: fix UNC path resolution
Browse files Browse the repository at this point in the history
PR-URL: nodejs-private/node-private#581
CVE-ID: CVE-2024-37372
  • Loading branch information
RafaelGSS committed Jul 3, 2024
1 parent 60e184a commit 2524d00
Show file tree
Hide file tree
Showing 2 changed files with 21 additions and 9 deletions.
21 changes: 12 additions & 9 deletions src/permission/fs_permission.cc
Original file line number Diff line number Diff line change
Expand Up @@ -57,15 +57,18 @@ bool is_tree_granted(
const std::string_view& param) {
std::string resolved_param = node::PathResolve(env, {param});
#ifdef _WIN32
// is UNC file path
if (resolved_param.rfind("\\\\", 0) == 0) {
// return lookup with normalized param
size_t starting_pos = 4; // "\\?\"
if (resolved_param.rfind("\\\\?\\UNC\\") == 0) {
starting_pos += 4; // "UNC\"
}
auto normalized = param.substr(starting_pos);
return granted_tree->Lookup(normalized, true);
// Remove leading "\\?\" from UNC path
if (resolved_param.substr(0, 4) == "\\\\?\\") {
resolved_param.erase(0, 4);
}

// Remove leading "UNC\" from UNC path
if (resolved_param.substr(0, 4) == "UNC\\") {
resolved_param.erase(0, 4);
}
// Remove leading "//" from UNC path
if (resolved_param.substr(0, 2) == "//") {
resolved_param.erase(0, 2);
}
#endif
return granted_tree->Lookup(resolved_param, true);
Expand Down
9 changes: 9 additions & 0 deletions test/parallel/test-permission-fs-windows-path.js
Original file line number Diff line number Diff line change
Expand Up @@ -38,3 +38,12 @@ if (!common.isWindows) {
assert.strictEqual(stdout.toString(), 'true\n', stderr.toString());
assert.strictEqual(status, 0);
}

{
const { stdout, status, stderr } = spawnSync(process.execPath, [
'--experimental-permission', '--allow-fs-write', 'C:\\*', '-e',
"console.log(process.permission.has('fs.write', '\\\\\\\\A\\\\C:\\Users'))",
]);
assert.strictEqual(stdout.toString(), 'false\n', stderr.toString());
assert.strictEqual(status, 0);
}

0 comments on commit 2524d00

Please sign in to comment.