From 8e01da3725e5ef6b31aba6547eca44c651705173 Mon Sep 17 00:00:00 2001
From: RafaelGSS <rafael.nunu@hotmail.com>
Date: Mon, 5 Jan 2026 18:18:39 -0300
Subject: [PATCH] [PATCH] permission: add permission check to realpath.native

Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: https://github.com/nodejs-private/node-private/pull/838
CVE-ID: CVE-2026-21715

Gbp-Pq: Topic sec
Gbp-Pq: Name 54-add-permission-check-to-realpath-native.patch
---
 src/node_file.cc                    |  8 ++++++++
 test/fixtures/permission/fs-read.js | 14 ++++++++++++++
 2 files changed, 22 insertions(+)

diff --git a/src/node_file.cc b/src/node_file.cc
index bdfcb6e46..78f95f6ff 100644
--- a/src/node_file.cc
+++ b/src/node_file.cc
@@ -1914,11 +1914,19 @@ static void RealPath(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 2) {  // realpath(path, encoding, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 2);
+    CHECK_NOT_NULL(req_wrap_async);
+    ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS(
+        env,
+        req_wrap_async,
+        permission::PermissionScope::kFileSystemRead,
+        path.ToStringView());
     FS_ASYNC_TRACE_BEGIN1(
         UV_FS_REALPATH, req_wrap_async, "path", TRACE_STR_COPY(*path))
     AsyncCall(env, req_wrap_async, args, "realpath", encoding, AfterStringPtr,
               uv_fs_realpath, *path);
   } else {  // realpath(path, encoding, undefined, ctx)
+    THROW_IF_INSUFFICIENT_PERMISSIONS(
+        env, permission::PermissionScope::kFileSystemRead, path.ToStringView());
     FSReqWrapSync req_wrap_sync("realpath", *path);
     FS_SYNC_TRACE_BEGIN(realpath);
     int err =
diff --git a/test/fixtures/permission/fs-read.js b/test/fixtures/permission/fs-read.js
index fb4039440..b7756a4d7 100644
--- a/test/fixtures/permission/fs-read.js
+++ b/test/fixtures/permission/fs-read.js
@@ -673,4 +673,18 @@ const regularFile = __filename;
   fs.lstat(regularFile, (err) => {
     assert.ifError(err);
   });
+}
+
+// fs.realpath.native
+{
+  fs.realpath.native(blockedFile, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemRead',
+    resource: path.toNamespacedPath(blockedFile),
+  }));
+
+  // doesNotThrow
+  fs.realpath.native(regularFile, (err) => {
+    assert.ifError(err);
+  });
 }
\ No newline at end of file
-- 
2.30.2