permission: guard pipe open and chmod with net scope

RafaelGSS · aduh95 · commit a67dd468913b · 2026-06-17T18:52:19.000+02:00
Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com> PR-URL: nodejs-private/node-private#885 Reviewed-By: Antoine du Hamel <duhamelantoine1995@gmail.com> CVE-ID: CVE-2026-48936 Refs: https://hackerone.com/reports/3618831
diff --git a/src/pipe_wrap.cc b/src/pipe_wrap.cc
@@ -184,8 +184,10 @@ void PipeWrap::SetPendingInstances(const FunctionCallbackInfo<Value>& args) {
 void PipeWrap::Fchmod(const v8::FunctionCallbackInfo<v8::Value>& args) {
   PipeWrap* wrap;
   ASSIGN_OR_RETURN_UNWRAP(&wrap, args.This());
+  Environment* env = wrap->env();
   CHECK(args[0]->IsInt32());
   int mode = args[0].As<Int32>()->Value();
+  THROW_IF_INSUFFICIENT_PERMISSIONS(env, permission::PermissionScope::kNet, "");
   int err = uv_pipe_chmod(&wrap->handle_, mode);
   args.GetReturnValue().Set(err);
 }
diff --git a/test/parallel/test-permission-net-uds.js b/test/parallel/test-permission-net-uds.js
@@ -9,11 +9,16 @@ if (common.isWindows) {
 }
 
 const assert = require('assert');
+const fs = require('fs');
 const net = require('net');
 const tls = require('tls');
 
+const pipePath = (name) => `/tmp/node-test-${process.pid}-${name}.sock`;
+
+assert.strictEqual(process.permission.has('net'), false);
+
 {
-  const client = net.connect({ path: '/tmp/perm.sock' });
+  const client = net.connect({ path: pipePath('perm') });
   client.on('error', common.mustCall((err) => {
     assert.strictEqual(err.code, 'ERR_ACCESS_DENIED');
   }));
@@ -22,7 +27,7 @@ const tls = require('tls');
 }
 
 {
-  const client = tls.connect({ path: '/tmp/perm.sock' });
+  const client = tls.connect({ path: pipePath('perm-tls') });
   client.on('error', common.mustCall((err) => {
     assert.strictEqual(err.code, 'ERR_ACCESS_DENIED');
   }));
@@ -31,19 +36,25 @@ const tls = require('tls');
 }
 
 {
+  const path = pipePath('perm-server');
+  const server = net.createServer();
   assert.throws(() => {
-    net.createServer().listen('/tmp/perm-server.sock');
+    server.listen(path);
   }, {
     code: 'ERR_ACCESS_DENIED',
     permission: 'Net',
   });
+  assert.strictEqual(fs.existsSync(path), false);
 }
 
 {
+  const path = pipePath('perm-tls-server');
+  const server = tls.createServer();
   assert.throws(() => {
-    tls.createServer().listen('/tmp/perm-tls-server.sock');
+    server.listen(path);
   }, {
     code: 'ERR_ACCESS_DENIED',
     permission: 'Net',
   });
+  assert.strictEqual(fs.existsSync(path), false);
 }

Original file line number	Diff line number	Diff line change
`@@ -9,11 +9,16 @@ if (common.isWindows) {`
`9`	`9`	`}`
`10`	`10`
`11`	`11`	`const assert = require('assert');`
	`12`	`+const fs = require('fs');`
`12`	`13`	`const net = require('net');`
`13`	`14`	`const tls = require('tls');`
`14`	`15`
	`16`	+const pipePath = (name) => `/tmp/node-test-${process.pid}-${name}.sock`;
	`17`	`+`
	`18`	`+assert.strictEqual(process.permission.has('net'), false);`
	`19`	`+`
`15`	`20`	`{`
`16`		`- const client = net.connect({ path: '/tmp/perm.sock' });`
	`21`	`+ const client = net.connect({ path: pipePath('perm') });`
`17`	`22`	`client.on('error', common.mustCall((err) => {`
`18`	`23`	`assert.strictEqual(err.code, 'ERR_ACCESS_DENIED');`
`19`	`24`	`}));`
`@@ -22,7 +27,7 @@ const tls = require('tls');`
`22`	`27`	`}`
`23`	`28`
`24`	`29`	`{`
`25`		`- const client = tls.connect({ path: '/tmp/perm.sock' });`
	`30`	`+ const client = tls.connect({ path: pipePath('perm-tls') });`
`26`	`31`	`client.on('error', common.mustCall((err) => {`
`27`	`32`	`assert.strictEqual(err.code, 'ERR_ACCESS_DENIED');`
`28`	`33`	`}));`
`@@ -31,19 +36,25 @@ const tls = require('tls');`
`31`	`36`	`}`
`32`	`37`
`33`	`38`	`{`
	`39`	`+ const path = pipePath('perm-server');`
	`40`	`+ const server = net.createServer();`
`34`	`41`	`assert.throws(() => {`
`35`		`- net.createServer().listen('/tmp/perm-server.sock');`
	`42`	`+ server.listen(path);`
`36`	`43`	`}, {`
`37`	`44`	`code: 'ERR_ACCESS_DENIED',`
`38`	`45`	`permission: 'Net',`
`39`	`46`	`});`
	`47`	`+ assert.strictEqual(fs.existsSync(path), false);`
`40`	`48`	`}`
`41`	`49`
`42`	`50`	`{`
	`51`	`+ const path = pipePath('perm-tls-server');`
	`52`	`+ const server = tls.createServer();`
`43`	`53`	`assert.throws(() => {`
`44`		`- tls.createServer().listen('/tmp/perm-tls-server.sock');`
	`54`	`+ server.listen(path);`
`45`	`55`	`}, {`
`46`	`56`	`code: 'ERR_ACCESS_DENIED',`
`47`	`57`	`permission: 'Net',`
`48`	`58`	`});`
	`59`	`+ assert.strictEqual(fs.existsSync(path), false);`
`49`	`60`	`}`