From 877530db1fe2756674cb2914403cb6706e0f5de7 Mon Sep 17 00:00:00 2001
From: Matteo Collina <hello@matteocollina.com>
Date: Thu, 23 Apr 2026 20:07:23 +0000
Subject: [PATCH] sqlite: add permission model checks to DatabaseSync

Add permission model enforcement to DatabaseSync::Open().
File-backed databases now check kFileSystemRead (readOnly) or
kFileSystemWrite (read-write) before calling sqlite3_open_v2.
In-memory databases (:memory:) are exempt.

Refs: https://hackerone.com/reports/3686625
---
 src/node_sqlite.cc                      |  13 +++
 test/fixtures/permission/sqlite.db      | Bin 0 -> 8192 bytes
 test/parallel/test-permission-sqlite.js | 146 ++++++++++++++++++++++++
 3 files changed, 159 insertions(+)
 create mode 100644 test/fixtures/permission/sqlite.db
 create mode 100644 test/parallel/test-permission-sqlite.js

diff --git a/src/node_sqlite.cc b/src/node_sqlite.cc
index 9c3aa6e0b4dc5f..e03ac41efc2954 100644
--- a/src/node_sqlite.cc
+++ b/src/node_sqlite.cc
@@ -912,6 +912,19 @@ bool DatabaseSync::Open() {
     return false;
   }
 
+  // Permission checks: skip for in-memory databases, enforce FS permissions
+  // for file-backed databases.
+  std::string_view db_path = open_config_.location();
+  if (db_path != ":memory:" && !db_path.empty()) {
+    if (open_config_.get_read_only()) {
+      THROW_IF_INSUFFICIENT_PERMISSIONS(
+          env(), permission::PermissionScope::kFileSystemRead, db_path, false);
+    } else {
+      THROW_IF_INSUFFICIENT_PERMISSIONS(
+          env(), permission::PermissionScope::kFileSystemWrite, db_path, false);
+    }
+  }
+
   // TODO(cjihrig): Support additional flags.
   int default_flags = SQLITE_OPEN_URI;
   int flags = open_config_.get_read_only()
diff --git a/test/fixtures/permission/sqlite.db b/test/fixtures/permission/sqlite.db
new file mode 100644
index 0000000000000000000000000000000000000000..2321b9eac82af67ad5f7624720168fcf24f09e13
GIT binary patch
literal 8192
zcmeI#u?oU45C-5&6>*Wel&&`_h>I^^l_1qBS~J+OV#GqFpi%HKd>0?cr|4{}?sgUa
zBbQ5#gTS|Cy$TYed7qt*vEc!=NeCJ;6Or}JqP#;Cd;NPZOL_kl7WMDXRxu^)2Neqe
z0SG_<0uX=z1Rwwb2tWV=5P(2MfvIS?jw5a+-lp2<vnkUWhtgA$l{X3`mmTgTJN6e!
zPGrc-(4Tu@#4{Q7_!_4d%}Q=m_wzT;$<8Z2jxh*800Izz00bZa0SG_<0uX=z1pY*z
LDQe^%bed)_06-&%

literal 0
HcmV?d00001

diff --git a/test/parallel/test-permission-sqlite.js b/test/parallel/test-permission-sqlite.js
new file mode 100644
index 00000000000000..9dafe5e7abe11d
--- /dev/null
+++ b/test/parallel/test-permission-sqlite.js
@@ -0,0 +1,146 @@
+// Flags: --permission --allow-fs-read=* --allow-fs-write=* --allow-child-process
+'use strict';
+
+const common = require('../common');
+common.skipIfSQLiteMissing();
+
+const { isMainThread } = require('worker_threads');
+
+if (!isMainThread) {
+  common.skip('This test only works on a main thread');
+}
+
+const assert = require('node:assert');
+const { spawnSync } = require('node:child_process');
+const fixtures = require('../common/fixtures');
+
+const spawnOpts = {
+  encoding: 'utf8',
+};
+
+const sqliteCode = {
+  // Open database in read-only mode (should require fs.read)
+  readOnly: `const sqlite = require('node:sqlite');
+    const db = new sqlite.DatabaseSync(process.env.DB_PATH, { readOnly: true });
+    db.close();`,
+
+  // Open database in read-write mode (should require fs.write)
+  readWrite: `const sqlite = require('node:sqlite');
+    const db = new sqlite.DatabaseSync(process.env.DB_PATH);
+    db.close();`,
+
+  // Open database with options.open = false (no FS access expected at construction)
+  noOpen: `const sqlite = require('node:sqlite');
+    const db = new sqlite.DatabaseSync(process.env.DB_PATH, { open: false });
+    db.open();
+    db.close();`,
+};
+
+const dbPath = fixtures.path('permission', 'sqlite.db');
+
+{
+  // Opening a database read-only should be blocked when fs.read is not granted
+  const code = sqliteCode.readOnly.replace(/\n/g, ' ');
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--permission',
+      '--allow-fs-read=/nonexistent',
+      '--eval', code,
+    ],
+    {
+      ...spawnOpts,
+      env: {
+        ...process.env,
+        DB_PATH: dbPath,
+      },
+    },
+  );
+  assert.strictEqual(status, 1, `stderr: ${stderr}`);
+  assert.match(stderr, /Access to this API has been restricted/);
+}
+
+{
+  // Opening a database read-write should be blocked when fs.write is not granted
+  const code = sqliteCode.readWrite.replace(/\n/g, ' ');
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--permission',
+      '--allow-fs-write=/nonexistent',
+      '--eval', code,
+    ],
+    {
+      ...spawnOpts,
+      env: {
+        ...process.env,
+        DB_PATH: dbPath,
+      },
+    },
+  );
+  assert.strictEqual(status, 1, `stderr: ${stderr}`);
+  assert.match(stderr, /Access to this API has been restricted/);
+}
+
+{
+  // Opening a database read-write should be allowed when permissions are granted
+  const code = sqliteCode.readWrite.replace(/\n/g, ' ');
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--permission',
+      '--allow-fs-write=*',
+      '--allow-fs-read=*',
+      '--eval', code,
+    ],
+    {
+      ...spawnOpts,
+      env: {
+        ...process.env,
+        DB_PATH: dbPath,
+      },
+    },
+  );
+  assert.strictEqual(status, 0, `stderr: ${stderr}`);
+}
+
+{
+  // Opening with open: false should not check permissions at construction,
+  // but db.open() should still check permissions
+  const code = sqliteCode.noOpen.replace(/\n/g, ' ');
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--permission',
+      '--allow-fs-read=/nonexistent',
+      '--allow-fs-write=/nonexistent',
+      '--eval', code,
+    ],
+    {
+      ...spawnOpts,
+      env: {
+        ...process.env,
+        DB_PATH: dbPath,
+      },
+    },
+  );
+  assert.strictEqual(status, 1, `stderr: ${stderr}`);
+  assert.match(stderr, /Access to this API has been restricted/);
+}
+
+{
+  // Memory database should not be restricted
+  const code = `const sqlite = require('node:sqlite');
+    const db = new sqlite.DatabaseSync(':memory:');
+    db.close();`.replace(/\n/g, ' ');
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--permission',
+      '--allow-fs-read=/nonexistent',
+      '--eval', code,
+    ],
+    spawnOpts,
+  );
+  assert.strictEqual(status, 0, `stderr: ${stderr}`);
+}