Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit bdf5873

Browse filesBrowse files
RafaelGSSRafaelGSS
committed
permission: add network check on pipe_wrap connect
Refs: https://hackerone.com/reports/3465156 PR-URL: nodejs-private/node-private#784 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Marco Ippolito <marcoippolito54@gmail.com> CVE-ID: CVE-2026-21636
1 parent 0578e3e commit bdf5873
Copy full SHA for bdf5873

File tree

Expand file treeCollapse file tree

2 files changed

+34
-0
lines changed
Open diff view settings
Filter options
Expand file treeCollapse file tree

2 files changed

+34
-0
lines changed
Open diff view settings
Collapse file

‎src/pipe_wrap.cc‎

Copy file name to clipboardExpand all lines: src/pipe_wrap.cc
+3Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -226,6 +226,9 @@ void PipeWrap::Connect(const FunctionCallbackInfo<Value>& args) {
226226
Local<Object> req_wrap_obj = args[0].As<Object>();
227227
node::Utf8Value name(env->isolate(), args[1]);
228228

229+
ERR_ACCESS_DENIED_IF_INSUFFICIENT_PERMISSIONS(
230+
env, permission::PermissionScope::kNet, name.ToStringView(), args);
231+
229232
ConnectWrap* req_wrap =
230233
new ConnectWrap(env, req_wrap_obj, AsyncWrap::PROVIDER_PIPECONNECTWRAP);
231234
int err = req_wrap->Dispatch(uv_pipe_connect2,
Collapse file

‎test/parallel/test-permission-net-uds.js‎

Copy file name to clipboard
+31Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
// Flags: --permission --allow-fs-read=*
2+
'use strict';
3+
4+
const common = require('../common');
5+
if (!common.hasCrypto) { common.skip('missing crypto'); };
6+
7+
if (common.isWindows) {
8+
common.skip('This test only works on unix');
9+
}
10+
11+
const assert = require('assert');
12+
const net = require('net');
13+
const tls = require('tls');
14+
15+
{
16+
const client = net.connect({ path: '/tmp/perm.sock' });
17+
client.on('error', common.mustCall((err) => {
18+
assert.strictEqual(err.code, 'ERR_ACCESS_DENIED');
19+
}));
20+
21+
client.on('connect', common.mustNotCall('TCP connection should be blocked'));
22+
}
23+
24+
{
25+
const client = tls.connect({ path: '/tmp/perm.sock' });
26+
client.on('error', common.mustCall((err) => {
27+
assert.strictEqual(err.code, 'ERR_ACCESS_DENIED');
28+
}));
29+
30+
client.on('connect', common.mustNotCall('TCP connection should be blocked'));
31+
}

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.