permission: v8.writeHeapSnapshot and process.report

RafaelGSS · Haxatron · RafaelGSS · commit ec61426f0b6f · 2023-06-26T14:30:01.000-03:00
Co-Authored-By: haxatron &lt;haxatron1@gmail.com&gt;
diff --git a/lib/internal/process/report.js b/lib/internal/process/report.js
@@ -2,6 +2,7 @@
 const {
   ERR_SYNTHETIC,
 } = require('internal/errors').codes;
+const { getValidatedPath } = require('internal/fs/utils');
 const {
   validateBoolean,
   validateObject,
@@ -19,6 +20,7 @@ const report = {
       file = undefined;
     } else if (file !== undefined) {
       validateString(file, 'file');
+      file = getValidatedPath(file);
     }
 
     if (err === undefined) {
diff --git a/src/heap_utils.cc b/src/heap_utils.cc
@@ -2,6 +2,7 @@
 #include "env-inl.h"
 #include "memory_tracker-inl.h"
 #include "node_external_reference.h"
+#include "permission/permission.h"
 #include "stream_base-inl.h"
 #include "util-inl.h"
 
@@ -454,6 +455,7 @@ void TriggerHeapSnapshot(const FunctionCallbackInfo<Value>& args) {
 
   if (filename_v->IsUndefined()) {
     DiagnosticFilename name(env, "Heap", "heapsnapshot");
+    // TODO(rafaelgss): resolve(name) and THROW_IF_INSUFFICIENT_PERMISSIONS
     if (WriteSnapshot(env, *name, options).IsNothing()) return;
     if (String::NewFromUtf8(isolate, *name).ToLocal(&filename_v)) {
       args.GetReturnValue().Set(filename_v);
@@ -463,6 +465,8 @@ void TriggerHeapSnapshot(const FunctionCallbackInfo<Value>& args) {
 
   BufferValue path(isolate, filename_v);
   CHECK_NOT_NULL(*path);
+  THROW_IF_INSUFFICIENT_PERMISSIONS(
+      env, permission::PermissionScope::kFileSystemWrite, path.ToStringView());
   if (WriteSnapshot(env, *path, options).IsNothing()) return;
   return args.GetReturnValue().Set(filename_v);
 }
diff --git a/src/node_report.cc b/src/node_report.cc
@@ -871,6 +871,7 @@ std::string TriggerNodeReport(Isolate* isolate,
       filename = *DiagnosticFilename(
           env != nullptr ? env->thread_id() : 0, "report", "json");
     }
+    // TODO(rafaelgss): resolve(filename) and THROW_IF_INSUFFICIENT_PERMISSIONS
   }
 
   // Open the report file stream for writing. Supports stdout/err,
diff --git a/src/node_report_module.cc b/src/node_report_module.cc
@@ -4,6 +4,7 @@
 #include "node_internals.h"
 #include "node_options.h"
 #include "node_report.h"
+#include "permission/permission.h"
 #include "util-inl.h"
 
 #include "handle_wrap.h"
@@ -44,6 +45,8 @@ void WriteReport(const FunctionCallbackInfo<Value>& info) {
   else
     error = Local<Value>();
 
+  THROW_IF_INSUFFICIENT_PERMISSIONS(
+      env, permission::PermissionScope::kFileSystemWrite, filename);
   filename = TriggerNodeReport(env, *message, *trigger, filename, error);
   // Return value is the report filename
   info.GetReturnValue().Set(
diff --git a/test/parallel/test-permission-fs-write-report.js b/test/parallel/test-permission-fs-write-report.js
@@ -0,0 +1,31 @@
+// Flags: --experimental-permission --allow-fs-read=*
+'use strict';
+
+const common = require('../common');
+common.skipIfWorker();
+if (!common.hasCrypto)
+  common.skip('no crypto');
+
+const assert = require('assert');
+const path = require('path');
+
+{
+  assert.throws(() => {
+    process.report.writeReport('./secret.txt');
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemWrite',
+    resource: path.toNamespacedPath(path.resolve('./secret.txt')),
+  }));
+}
+
+{
+  // TODO(rafaelgss): current working directory isn't supported
+  // until path.resolve isn't available in C++
+  assert.throws(() => {
+    process.report.writeReport();
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemWrite',
+  }));
+}
diff --git a/test/parallel/test-permission-fs-write-v8.js b/test/parallel/test-permission-fs-write-v8.js
@@ -0,0 +1,32 @@
+// Flags: --experimental-permission --allow-fs-read=*
+'use strict';
+
+const common = require('../common');
+common.skipIfWorker();
+if (!common.hasCrypto)
+  common.skip('no crypto');
+
+const assert = require('assert');
+const v8 = require('v8');
+const path = require('path');
+
+{
+  assert.throws(() => {
+    v8.writeHeapSnapshot('./secret.txt');
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemWrite',
+    resource: path.toNamespacedPath(path.resolve('./secret.txt')),
+  }));
+}
+
+{
+  // TODO(rafaelgss): current working directory isn't supported
+  // until path.resolve isn't available in C++
+  assert.throws(() => {
+    v8.writeHeapSnapshot();
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemWrite',
+  }));
+}

Original file line number	Diff line number	Diff line change
`@@ -871,6 +871,7 @@ std::string TriggerNodeReport(Isolate* isolate,`
`871`	`871`	`filename = *DiagnosticFilename(`
`872`	`872`	`env != nullptr ? env->thread_id() : 0, "report", "json");`
`873`	`873`	`}`
	`874`	`+ // TODO(rafaelgss): resolve(filename) and THROW_IF_INSUFFICIENT_PERMISSIONS`
`874`	`875`	`}`
`875`	`876`
`876`	`877`	`// Open the report file stream for writing. Supports stdout/err,`