permission: ensure to resolve path when calling mkdtemp

RafaelGSS · RafaelGSS · commit 98a83a67e6e2 · 2023-08-09T10:20:33.000-03:00
PR-URL: nodejs-private/node-private#464 Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2037887 Reviewed-By: Tobias Nießen <tniessen@tnie.de>
diff --git a/lib/fs.js b/lib/fs.js
@@ -2916,6 +2916,7 @@ function mkdtemp(prefix, options, callback) {
 
   validateString(prefix, 'prefix');
   nullCheck(prefix, 'prefix');
+  prefix = getValidatedPath(prefix, 'prefix');
   warnOnNonPortableTemplate(prefix);
   const req = new FSReqCallback();
   req.oncomplete = callback;
@@ -2933,6 +2934,7 @@ function mkdtempSync(prefix, options) {
 
   validateString(prefix, 'prefix');
   nullCheck(prefix, 'prefix');
+  prefix = getValidatedPath(prefix, 'prefix');
   warnOnNonPortableTemplate(prefix);
   const path = `${prefix}XXXXXX`;
   const ctx = { path };
diff --git a/test/fixtures/permission/fs-traversal.js b/test/fixtures/permission/fs-traversal.js
@@ -51,7 +51,19 @@ const bufferTraversalPath = Buffer.from(allowedFolder + '../file.md');
   }, common.expectsError({
     code: 'ERR_ACCESS_DENIED',
     permission: 'FileSystemWrite',
-    resource: path.toNamespacedPath(path.resolve(traversalFolderPath + 'XXXXXX')),
+    resource: path.resolve(traversalFolderPath + 'XXXXXX'),
+  }));
+}
+
+{
+  assert.throws(() => {
+    fs.mkdtemp(traversalFolderPath, (error) => {
+      assert.ifError(error);
+    });
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemWrite',
+    resource: path.resolve(traversalFolderPath + 'XXXXXX'),
   }));
 }
 
@@ -72,4 +84,4 @@ const bufferTraversalPath = Buffer.from(allowedFolder + '../file.md');
   assert.ok(!process.permission.has('fs.write', traversalPath));
   assert.ok(!process.permission.has('fs.read', traversalFolderPath));
   assert.ok(!process.permission.has('fs.write', traversalFolderPath));
-}
+}
