From d6da413aa4df6bc22625bb2701f11674a6e75b70 Mon Sep 17 00:00:00 2001 From: RafaelGSS Date: Mon, 8 Jan 2024 16:26:34 -0300 Subject: [PATCH] test,doc: clarify wildcard usage Follow-up: https://github.com/nodejs/node/pull/51209 PR-URL: https://github.com/nodejs-private/node-private/pull/517 Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=2257156 CVE-ID: CVE-2024-21890 --- doc/api/permissions.md | 5 ++++- test/parallel/test-permission-fs-wildcard.js | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/doc/api/permissions.md b/doc/api/permissions.md index 119ec2e80a4b12..75f717be487ae8 100644 --- a/doc/api/permissions.md +++ b/doc/api/permissions.md @@ -557,7 +557,10 @@ Wildcards are supported too: * `--allow-fs-read=/home/test*` will allow read access to everything that matches the wildcard. e.g: `/home/test/file1` or `/home/test2` -#### Limitations and known issues +After passing a wildcard character (`*`) all subsequent characters will +be ignored. For example: `/home/*.js` will work similar to `/home/*`. + +#### Permission Model constraints There are constraints you need to know before using this system: diff --git a/test/parallel/test-permission-fs-wildcard.js b/test/parallel/test-permission-fs-wildcard.js index 9b2608e99dc84b..7aa8c34fd65cb1 100644 --- a/test/parallel/test-permission-fs-wildcard.js +++ b/test/parallel/test-permission-fs-wildcard.js @@ -107,11 +107,15 @@ if (common.isWindows) { '--experimental-permission', '--allow-fs-read=/a/b/*', '--allow-fs-read=/a/b/d', + '--allow-fs-read=/etc/passwd.*', + '--allow-fs-read=/home/*.js', '-e', ` const assert = require('assert') assert.ok(process.permission.has('fs.read', '/a/b/c')); assert.ok(!process.permission.has('fs.read', '/a/c/c')); + assert.ok(!process.permission.has('fs.read', '/etc/passwd')); + assert.ok(process.permission.has('fs.read', '/home/another-file.md')); `, ] );