The is_tree_granted
function in fs_permission.cc
assumes that any path starting with two backslashes \\
has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.
With a recent version of Node.js 20, run a command such as:
node --experimental-permission --allow-fs-read=C:\* -p "fs.readdirSync(Buffer.from('\\\\A\\C:\\Users'))"
The expected behavior is an ERR_ACCESS_DENIED
error, but it does not occur. Instead, Node.js calls scandir
on \\A\C:\Users
.
An attacker can potentially gain unintended access to UNC resources. In the above example, an attacker gains file system access to the UNC path \\A\C:\
, even though no access beyond the local C:\
drive has been granted.
It is difficult to fully and accurately comprehend the impact. The bug is subtle, and Windows uses notoriously complex file path formats. Overall, I consider the severity of the issue to be low.