Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

permission: fix chmod,chown,link, and lutimes #47529

Merged
merged 1 commit into from
Apr 13, 2023
Merged

permission: fix chmod,chown,link, and lutimes #47529

merged 1 commit into from
Apr 13, 2023

Conversation

RafaelGSS
Copy link
Member

@RafaelGSS RafaelGSS commented Apr 12, 2023
edited
Loading

fs.chmod, fs.chown, fs.link , and fs.lutimes wasn't handled properly by the permission model. This PR fixes it and increase the coverage of all file system API using permission model
cc: @nodejs/security-wg

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. fs Issues and PRs related to the fs subsystem / file system. needs-ci PRs that need a full CI run. labels Apr 12, 2023
@RafaelGSS RafaelGSS added the request-ci Add this label to start a Jenkins CI on a PR. label Apr 12, 2023
@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Apr 12, 2023
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/51169/

marco-ippolito
marco-ippolito approved these changes Apr 12, 2023
View reviewed changes
Copy link
Member

@marco-ippolito marco-ippolito left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@github-actions github-actions bot mentioned this pull request Apr 13, 2023
Open
36 tasks
@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/51180/

@nodejs-github-bot
Copy link
Collaborator

CI: https://ci.nodejs.org/job/node-test-pull-request/51199/

@RafaelGSS RafaelGSS added the fast-track PRs that do not need to wait for 48 hours to land. label Apr 13, 2023
@github-actions
Copy link
Contributor

Fast-track has been requested by @RafaelGSS. Please 👍 to approve.

@RafaelGSS
Copy link
Member Author

I need to include it on v20.0.0 proposal for security reasons.

tniessen
tniessen reviewed Apr 13, 2023
View reviewed changes
Copy link
Member

@tniessen tniessen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The title and description only mention chmod and chown, but based on the diff, it looks like there are also issues with link and lutimes.

@tniessen tniessen added the security Issues and PRs related to security. label Apr 13, 2023
@RafaelGSS RafaelGSS changed the title permission: fix chmod,chown improve fs coverage permission: fix chmod,chown,link, and lutimes Apr 13, 2023
@tniessen
Copy link
Member

I need to include it on v20.0.0 proposal for security reasons.

We've previously delayed releasing the permission model whenever a new vulnerability was found. #44004 (comment) suggested a "a baking-time of 1 release for this feature (after landing all the patches)". It's not semver-major so we could land it in 20.1.0 instead, but I assume that's not really an option because 20.x is picking up everything from the main branch.

@RafaelGSS
Copy link
Member Author

I need to include it on v20.0.0 proposal for security reasons.

We've previously delayed releasing the permission model whenever a new vulnerability was found. #44004 (comment) suggested a "a baking-time of 1 release for this feature (after landing all the patches)". It's not semver-major so we could land it in 20.1.0 instead, but I assume that's not really an option because 20.x is picking up everything from the main branch.

To not land it on v20.x we would need a revert PR to all affected PRs, which I'm not considering as an option for now.

@RafaelGSS RafaelGSS added the commit-queue Add this label to land a pull request using GitHub Actions. label Apr 13, 2023
@nodejs-github-bot nodejs-github-bot removed the commit-queue Add this label to land a pull request using GitHub Actions. label Apr 13, 2023
@nodejs-github-bot nodejs-github-bot merged commit 1323992 into nodejs:main Apr 13, 2023
@nodejs-github-bot
Copy link
Collaborator

Landed in 1323992

RafaelGSS added a commit that referenced this pull request Apr 13, 2023
@RafaelGSS
permission: fix chmod,chown improve fs coverage
3b04efd 
Signed-off-by: RafaelGSS <[email protected]>
PR-URL: #47529
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
RafaelGSS added a commit that referenced this pull request Apr 13, 2023
@RafaelGSS
permission: fix chmod,chown improve fs coverage
1dfdd6f 
Signed-off-by: RafaelGSS <[email protected]>
PR-URL: #47529
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
@RafaelGSS RafaelGSS mentioned this pull request Apr 13, 2023
Merged
RafaelGSS added a commit that referenced this pull request Apr 13, 2023
@RafaelGSS
permission: fix chmod,chown improve fs coverage
8bcf0a4 
Signed-off-by: RafaelGSS <[email protected]>
PR-URL: #47529
Reviewed-By: Benjamin Gruenbaum <[email protected]>
Reviewed-By: Marco Ippolito <[email protected]>
@github-actions github-actions bot mentioned this pull request Apr 15, 2023
Open
33 tasks
@danielleadams danielleadams added the backport-requested-v18.x PRs awaiting manual backport to the v18.x-staging branch. label Jul 3, 2023
@tniessen tniessen added the permission Issues and PRs related to the Permission Model label Aug 10, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@tniessen tniessen tniessen left review comments

@marco-ippolito marco-ippolito marco-ippolito approved these changes

@benjamingr benjamingr benjamingr approved these changes

Assignees
No one assigned
Labels
backport-requested-v18.x PRs awaiting manual backport to the v18.x-staging branch. c++ Issues and PRs that require attention from people who are familiar with C++. fast-track PRs that do not need to wait for 48 hours to land. fs Issues and PRs related to the fs subsystem / file system. needs-ci PRs that need a full CI run. permission Issues and PRs related to the Permission Model security Issues and PRs related to security.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
6 participants
@RafaelGSS @nodejs-github-bot @tniessen @benjamingr @marco-ippolito @danielleadams