[PATCH] permission: add permission check to realpath.native

author RafaelGSS <rafael.nunu@hotmail.com>

Mon, 5 Jan 2026 21:18:39 +0000 (18:18 -0300)

committer Jérémy Lal <kapouer@melix.org>

Tue, 24 Mar 2026 21:11:25 +0000 (22:11 +0100)
author RafaelGSS <rafael.nunu@hotmail.com>
Mon, 5 Jan 2026 21:18:39 +0000 (18:18 -0300)
committer Jérémy Lal <kapouer@melix.org>
Tue, 24 Mar 2026 21:11:25 +0000 (22:11 +0100)
diff --git a/src/node_file.cc b/src/node_file.cc

index bdfcb6e465c276778a1a02e39c48ad02bcd4437c..78f95f6ffdbb9c8cb95a68ffa248d59e76f69927 100644 (file)
--- a/src/node_file.cc
+++ b/src/node_file.cc
@@ -1914,11 +1914,19 @@ static void RealPath(const FunctionCallbackInfo<Value>& args) {
  
    if (argc > 2) {  // realpath(path, encoding, req)
      FSReqBase* req_wrap_async = GetReqWrap(args, 2);
+    CHECK_NOT_NULL(req_wrap_async);
+    ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS(
+        env,
+        req_wrap_async,
+        permission::PermissionScope::kFileSystemRead,
+        path.ToStringView());
      FS_ASYNC_TRACE_BEGIN1(
          UV_FS_REALPATH, req_wrap_async, "path", TRACE_STR_COPY(*path))
      AsyncCall(env, req_wrap_async, args, "realpath", encoding, AfterStringPtr,
                uv_fs_realpath, *path);
    } else {  // realpath(path, encoding, undefined, ctx)
+    THROW_IF_INSUFFICIENT_PERMISSIONS(
+        env, permission::PermissionScope::kFileSystemRead, path.ToStringView());
      FSReqWrapSync req_wrap_sync("realpath", *path);
      FS_SYNC_TRACE_BEGIN(realpath);
      int err =
diff --git a/test/fixtures/permission/fs-read.js b/test/fixtures/permission/fs-read.js

index fb40394401e7721fb762db8f663080e48ed84492..b7756a4d70d37675fe671d5b59ff4341fdeede75 100644 (file)
--- a/test/fixtures/permission/fs-read.js
+++ b/test/fixtures/permission/fs-read.js
@@ -673,4 +673,18 @@ const regularFile = __filename;
    fs.lstat(regularFile, (err) => {
      assert.ifError(err);
    });
+}
+
+// fs.realpath.native
+{
+  fs.realpath.native(blockedFile, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemRead',
+    resource: path.toNamespacedPath(blockedFile),
+  }));
+
+  // doesNotThrow
+  fs.realpath.native(regularFile, (err) => {
+    assert.ifError(err);
+  });
  }
 \ No newline at end of file
author	RafaelGSS <rafael.nunu@hotmail.com>
	Mon, 5 Jan 2026 21:18:39 +0000 (18:18 -0300)
committer	Jérémy Lal <kapouer@melix.org>
	Tue, 24 Mar 2026 21:11:25 +0000 (22:11 +0100)
src/node_file.cc		patch \| blob \| history
test/fixtures/permission/fs-read.js		patch \| blob \| history