Security-critical permission model bypass in VFS implementation requires careful handling.
The VFS implementation currently bypasses Node.js's permission model checks, creating a security vulnerability. The fix requires integrating VFS with the permission system or disabling VFS when permissions are enabled. This is a cross-cutting change affecting many files and requires deep understanding of both systems.
/cc @mcollina
With The Virtual File System PR getting close to landing, there are a number of areas / issues to follow-up on. Flagging here in a new issue to prevent overloading the PR discussion.
We need to decide if VFS should participate in the permissions model and how.
Disposition: follow-up
In lib/fs.js, VFS interception happens before the permission model
check in every intercepted function. Pattern (repeated 96+ times):
function readFileSync(path, options) {
const h = vfsState.handlers;
if (h !== null) {
const result = h.readFileSync(path, options);
if (result !== undefined) return result; // ← returns BEFORE permission check
}
// permission check is down here
if (permission.isEnabled() && !permission.has('fs.read', path)) { ... }
}
When --experimental-permission is active, a VFS mount can serve
content for any path without triggering the permission gate. This is
the most significant security issue in the PR.
Recommendation: At minimum, when permission.isEnabled(), the
VFS handler path should still check permission.has('fs.read', ...) /
permission.has('fs.write', ...) as appropriate. Alternatively,
disable VFS mounting entirely when the permissi
Claim this issue to let others know you're working on it. You'll earn 35 points when you complete it!