fs: protect against modified Buffer internals in possiblyTransformPath

tniessen · RafaelGSS · commit a4edd22e3094 · 2024-02-07T10:45:36.000-03:00
Use encodeUtf8String from the encoding_binding internal binding to convert the result of path.resolve() to a Uint8Array instead of using Buffer.from(), whose result can be manipulated by the user by monkey-patching internals such as Buffer.prototype.utf8Write. HackerOne report: https://hackerone.com/reports/2218653 PR-URL: nodejs-private/node-private#497 Reviewed-By: Rafael Gonzaga <rafael.nunu@hotmail.com> CVE-ID: CVE-2024-21896
diff --git a/lib/internal/fs/utils.js b/lib/internal/fs/utils.js
@@ -65,6 +65,8 @@ const kType = Symbol('type');
 const kStats = Symbol('stats');
 const assert = require('internal/assert');
 
+const { encodeUtf8String } = internalBinding('encoding_binding');
+
 const {
   fs: {
     F_OK = 0,
@@ -702,7 +704,10 @@ function possiblyTransformPath(path) {
     }
     assert(isUint8Array(path));
     if (!BufferIsBuffer(path)) path = BufferFrom(path);
-    return BufferFrom(resolvePath(BufferToString(path)));
+    // Avoid Buffer.from() and use a C++ binding instead to encode the result
+    // of path.resolve() in order to prevent path traversal attacks that
+    // monkey-patch Buffer internals.
+    return encodeUtf8String(resolvePath(BufferToString(path)));
   }
   return path;
 }
diff --git a/test/fixtures/permission/fs-traversal.js b/test/fixtures/permission/fs-traversal.js
@@ -96,6 +96,39 @@ const uint8ArrayTraversalPath = new TextEncoder().encode(traversalPath);
   }));
 }
 
+// Monkey-patching Buffer internals should also not allow path traversal.
+{
+  const extraChars = '.'.repeat(40);
+  const traversalPathWithExtraChars = traversalPath + extraChars;
+  const traversalPathWithExtraBytes = Buffer.from(traversalPathWithExtraChars);
+
+  Buffer.prototype.utf8Write = ((w) => function(str, ...args) {
+    assert.strictEqual(str, resolve(traversalPath) + extraChars);
+    return w.apply(this, [traversalPath, ...args]);
+  })(Buffer.prototype.utf8Write);
+
+  // Sanity check (remove if the internals of Buffer.from change):
+  // The custom implementation of utf8Write should cause Buffer.from() to encode
+  // traversalPath instead of the sanitized output of resolve().
+  assert.strictEqual(Buffer.from(resolve(traversalPathWithExtraChars)).toString(), traversalPath);
+
+  assert.throws(() => {
+    fs.readFile(traversalPathWithExtraBytes, common.mustNotCall());
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemRead',
+    resource: resolve(traversalPathWithExtraChars),
+  }));
+
+  assert.throws(() => {
+    fs.readFile(new TextEncoder().encode(traversalPathWithExtraBytes.toString()), common.mustNotCall());
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemRead',
+    resource: resolve(traversalPathWithExtraChars),
+  }));
+}
+
 {
   assert.ok(!process.permission.has('fs.read', traversalPath));
   assert.ok(!process.permission.has('fs.write', traversalPath));

Original file line number	Diff line number	Diff line change
`@@ -65,6 +65,8 @@ const kType = Symbol('type');`
`65`	`65`	`const kStats = Symbol('stats');`
`66`	`66`	`const assert = require('internal/assert');`
`67`	`67`
	`68`	`+const { encodeUtf8String } = internalBinding('encoding_binding');`
	`69`	`+`
`68`	`70`	`const {`
`69`	`71`	`fs: {`
`70`	`72`	`F_OK = 0,`
`@@ -702,7 +704,10 @@ function possiblyTransformPath(path) {`
`702`	`704`	`}`
`703`	`705`	`assert(isUint8Array(path));`
`704`	`706`	`if (!BufferIsBuffer(path)) path = BufferFrom(path);`
`705`		`- return BufferFrom(resolvePath(BufferToString(path)));`
	`707`	`+ // Avoid Buffer.from() and use a C++ binding instead to encode the result`
	`708`	`+ // of path.resolve() in order to prevent path traversal attacks that`
	`709`	`+ // monkey-patch Buffer internals.`
	`710`	`+ return encodeUtf8String(resolvePath(BufferToString(path)));`
`706`	`711`	`}`
`707`	`712`	`return path;`
`708`	`713`	`}`