jiangcuo/node
1
0
Fork 0
mirror of https://github.com/nodejs/node.git synced 2025-05-02 03:31:35 +00:00
Code Issues Actions 26 Packages Projects Releases Wiki Activity
ad0bcb9c02
node/lib/internal/process/permission.js
RafaelGSS 205f1e643e permission: handle fs path traversal 
PR-URL: https://github.com/nodejs-private/node-private/pull/403
Refs: https://hackerone.com/bugs?subject=nodejs&report_id=1952978
Reviewed-By: Matteo Collina <matteo.collina@gmail.com>
CVE-ID: CVE-2023-30584
2023-06-20 17:31:47 -03:00

36 lines
919 B
JavaScript
Raw Blame History

'use strict';
const {
ObjectFreeze,
StringPrototypeStartsWith,
} = primordials;
const permission = internalBinding('permission');
const { validateString } = require('internal/validators');
const { resolve } = require('path');
let experimentalPermission;
module.exports = ObjectFreeze({
__proto__: null,
isEnabled() {
if (experimentalPermission === undefined) {
const { getOptionValue } = require('internal/options');
experimentalPermission = getOptionValue('--experimental-permission');
}
return experimentalPermission;
},
has(scope, reference) {
validateString(scope, 'scope');
if (reference != null) {
// TODO: add support for WHATWG URLs and Uint8Arrays.
validateString(reference, 'reference');
if (StringPrototypeStartsWith(scope, 'fs')) {
reference = resolve(reference);
}
}
return permission.has(scope, reference);
},
});
Reference in New Issue View Git Blame Copy Permalink