permission: do not create symlinks if target is relative

[tniessen]

The permission model's security guarantees fall apart in the presence of relative symbolic links. When an application attempts to create a relative symlink, the permission model currently resolves the relative path into an absolute path based on the process's current working directory, checks whether the process has the relevant permissions, and then creates the symlink using the absolute target path. This behavior is plainly incorrect for two reasons:

1. The target path should never be resolved relative to the current working directory. If anything, it should be resolved relative to the symlink's location. (Of course, there is one insane exception to this rule: on Windows, each process has a current working directory per drive, and symlinks can be created with a target path relative to the current working directory of a specific drive. In that case, the relative path will be resolved relative to the current working directory for the respective drive, and the symlink will be created on disk with the resulting absolute path. Other relative symlinks will be stored as-is.)
2. Silently creating an absolute symlink when the user requested a relative symlink is wrong. The user may (or may not) rely on the symlink being relative. For example, npm heavily relies on relative symbolic links such that node_modules directories can be moved around without breaking.

Because we don't know the user's intentions, we don't know if creating an absolute symlink instead of a relative symlink is acceptable. This patch prevents the faulty behavior by not (incorrectly) resolving relative symlink targets when the permission model is enabled, and by instead simply refusing the create any relative symlinks.

The fs APIs accept Uint8Array objects for paths to be able to handle arbitrary file name charsets, however, checking whether such an object represents a relative part in a reliable and portable manner is tricky. Other parts of the permission model incorrectly convert such objects to strings and then back to an Uint8Array (see 1f64147), however, for now, this bug fix will simply throw on non-string symlink targets when the permission model is enabled. (The permission model already breaks existing applications in various ways, so this shouldn't be too dramatic.)

[RafaelGSS]

LGTM.

[anonrig]

This applies to all: If you move this line after getValidatedPath, you'd reduce the number of C++ calls, since getValidatedPath also calls toPathIfFileUrl function.

[tniessen]

This is tricky. I didn't find any elegant solution. It cannot be after getValidatedPath() because isAbsolute() will always be true after getValidatedPath() returns.

[mhdawson]

LGTM

[LiviaMedeiros]

Because we don't know the user's intentions, we don't know if creating an absolute symlink instead of a relative symlink is acceptable.

It we add to symlink methods relative option that is set to false by default, would it be enough to assume that users who don't enable it want absolute symlink?

[tniessen]

It we add to symlink methods relative option that is set to false by default, would it be enough to assume that users who don't enable it want absolute symlink?

That would be a significant breaking change. If a user really wants an absolute symlink, they can just pass in an absolute target path.

[RafaelGSS]

@tniessen why this is a draft?

[tniessen]

@RafaelGSS Because I haven't yet figured out how to deal with non-string paths.

[tniessen]

I am giving up on non-string inputs for now. Blindly coercing to strings as in 1f64147 seems like a mistake so me, so for now, the implementation always throws on non-string inputs.

I do not like contributing to how the permission model restricts legitimate applications in such ways, but I do not have energy or time to find a better solution and none has been suggested here either.

[RafaelGSS]

I think we could check if it's a Buffer and default it to utf8 to check if isAbsolute.

[tniessen]

On POSIX, that generally works because POSIX only checks the first byte (not character) of the path to see if it is absolute. On Windows, I am not so sure.

[RafaelGSS]

I have played a bit on Windows today (I was fixing another issue) and I couldn't reproduce the case you've mentioned.

[tniessen]

@RafaelGSS Is this a blocking suggestion? I think it'd be appropriate to add support for Uint8Array paths in a follow-up PR if desired. I myself am not confident that I'd do so without introducing new issues on Windows.

[RafaelGSS]

No blocking suggestion. Once you merge it I can create an issue to work on that.

[anonrig]

Why don't we move this to C++?

[tniessen]

Is there any reason to do so as part of this bug fix? Is there a potential security issue here?

[anonrig]

Well, I am moving each of these functions to C++. Adding more JS, means we will move it to C++ in a different PR. It just bloats the git history.

[tniessen]

I might be missing something here. This bug fix has to be applied in either case. I don't think moving this to C++ would reduce the size of the git diff either. Bug fixes should be as small as possible so that they can be backported easily.

If you want to request changes on this PR and incorporate the fix in your own PR, that's fine by me, but moving this logic to C++ as part of a bug fix, absent of any known issues with the JavaScript implementation, is not something that I'll spend time on.

Otherwise, I'll merge this soon-ish because bug fixes still have priority over most other changes.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/55832/

[tniessen]

I had to rebase due to #50318. PTAL.

[RafaelGSS]

@tniessen once you get a green CI feel free to ping me

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/55854/

[tniessen]

CI is green @RafaelGSS. It would be great if you could re-approve and add the commit-queue label 🙂

[nodejs-github-bot]

Landed in 041d435