Node.js: Permission model improperly processes UNC paths

The is_tree_granted function in fs_permission.cc assumes that any path starting with two backslashes \\ has a four-character prefix that can be ignored, which is not always true. This subtle bug leads to vulnerable edge cases.

Steps To Reproduce:

With a recent version of Node.js 20, run a command such as:

node --experimental-permission --allow-fs-read=C:\* -p "fs.readdirSync(Buffer.from('\\\\A\\C:\\Users'))"

The expected behavior is an ERR_ACCESS_DENIED error, but it does not occur. Instead, Node.js calls scandir on \\A\C:\Users.

Supporting Material/References:

• Implementation of is_tree_granted
• File path formats on Windows systems: UNC paths

Impact

An attacker can potentially gain unintended access to UNC resources. In the above example, an attacker gains file system access to the UNC path \\A\C:\, even though no access beyond the local C:\ drive has been granted.

It is difficult to fully and accurately comprehend the impact. The bug is subtle, and Windows uses notoriously complex file path formats. Overall, I consider the severity of the issue to be low.