permission: ensure to resolve path when calling mkdtemp

PR-URL: nodejs-private/node-private#440 Refs: https://hackerone.com/bugs?subject=nodejs&report_id=2037887 Reviewed-By: Tobias Nießen <tniessen@tnie.de>
nodejs · Aug 9, 2023 · 3868ae0 · 3868ae0
1 parent 1f64147
commit 3868ae0
Showing 1 changed file with 14 additions and 2 deletions.
diff --git a/test/fixtures/permission/fs-traversal.js b/test/fixtures/permission/fs-traversal.js
@@ -51,7 +51,19 @@ const bufferTraversalPath = Buffer.from(allowedFolder + '../file.md');
   }, common.expectsError({
     code: 'ERR_ACCESS_DENIED',
     permission: 'FileSystemWrite',
-    resource: path.toNamespacedPath(path.resolve(traversalFolderPath + 'XXXXXX')),
+    resource: path.resolve(traversalFolderPath + 'XXXXXX'),
+  }));
+}
+
+{
+  assert.throws(() => {
+    fs.mkdtemp(traversalFolderPath, (error) => {
+      assert.ifError(error);
+    });
+  }, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemWrite',
+    resource: path.resolve(traversalFolderPath + 'XXXXXX'),
   }));
 }
 
@@ -72,4 +84,4 @@ const bufferTraversalPath = Buffer.from(allowedFolder + '../file.md');
   assert.ok(!process.permission.has('fs.write', traversalPath));
   assert.ok(!process.permission.has('fs.read', traversalFolderPath));
   assert.ok(!process.permission.has('fs.write', traversalFolderPath));
-}
+}