Skip to content

Commit bdf5873

Browse files
RafaelGSSRafaelGSS
committed
permission: add network check on pipe_wrap connect
Refs: https://hackerone.com/reports/3465156 PR-URL: nodejs-private/node-private#784 Reviewed-By: Anna Henningsen <[email protected]> Reviewed-By: Marco Ippolito <[email protected]> CVE-ID: CVE-2026-21636
1 parent 0578e3e commit bdf5873

File tree

2 files changed

+34
-0
lines changed

2 files changed

+34
-0
lines changed

src/pipe_wrap.cc

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -226,6 +226,9 @@ void PipeWrap::Connect(const FunctionCallbackInfo<Value>& args) {
226226
Local<Object> req_wrap_obj = args[0].As<Object>();
227227
node::Utf8Value name(env->isolate(), args[1]);
228228

229+
ERR_ACCESS_DENIED_IF_INSUFFICIENT_PERMISSIONS(
230+
env, permission::PermissionScope::kNet, name.ToStringView(), args);
231+
229232
ConnectWrap* req_wrap =
230233
new ConnectWrap(env, req_wrap_obj, AsyncWrap::PROVIDER_PIPECONNECTWRAP);
231234
int err = req_wrap->Dispatch(uv_pipe_connect2,

test/parallel/test-permission-net-uds.js

Lines changed: 31 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,31 @@
1+
// Flags: --permission --allow-fs-read=*
2+
'use strict';
3+
4+
const common = require('../common');
5+
if (!common.hasCrypto) { common.skip('missing crypto'); };
6+
7+
if (common.isWindows) {
8+
common.skip('This test only works on unix');
9+
}
10+
11+
const assert = require('assert');
12+
const net = require('net');
13+
const tls = require('tls');
14+
15+
{
16+
const client = net.connect({ path: '/tmp/perm.sock' });
17+
client.on('error', common.mustCall((err) => {
18+
assert.strictEqual(err.code, 'ERR_ACCESS_DENIED');
19+
}));
20+
21+
client.on('connect', common.mustNotCall('TCP connection should be blocked'));
22+
}
23+
24+
{
25+
const client = tls.connect({ path: '/tmp/perm.sock' });
26+
client.on('error', common.mustCall((err) => {
27+
assert.strictEqual(err.code, 'ERR_ACCESS_DENIED');
28+
}));
29+
30+
client.on('connect', common.mustNotCall('TCP connection should be blocked'));
31+
}

0 commit comments

Comments
 (0)