Skip to content

sqlite: add permission model checks to DatabaseSync#62957

Open
mcollina wants to merge 3 commits into
nodejs:mainfrom
mcollina:sqlite-permission-checks
Open

sqlite: add permission model checks to DatabaseSync#62957
mcollina wants to merge 3 commits into
nodejs:mainfrom
mcollina:sqlite-permission-checks

Conversation

@mcollina

Copy link
Copy Markdown
Member

Add permission model enforcement to DatabaseSync::Open().

  • File-backed databases check kFileSystemRead (readOnly) or kFileSystemWrite (read-write) before calling sqlite3_open_v2.
  • In-memory databases (:memory:) are exempt.

Known limitation: db.exec() with ATTACH DATABASE SQL can still access arbitrary files at runtime. This would require parsing SQL to intercept ATTACH statements. Should we address that in this PR or a follow-up?

@nodejs-github-bot

Copy link
Copy Markdown
Collaborator

Review requested:

  • @nodejs/security-wg
  • @nodejs/sqlite

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. sqlite Issues and PRs related to the SQLite subsystem. labels Apr 25, 2026
@codecov

codecov Bot commented Apr 25, 2026

Copy link
Copy Markdown

Codecov Report

❌ Patch coverage is 63.40289% with 228 lines in your changes missing coverage. Please review.
✅ Project coverage is 90.17%. Comparing base (384d7a4) to head (b1cfecf).
⚠️ Report is 4 commits behind head on main.

Files with missing lines Patch % Lines
src/node_sqlite_vfs.cc 60.34% 149 Missing and 60 partials ⚠️
src/node_sqlite.cc 85.71% 3 Missing and 7 partials ⚠️
src/permission/fs_permission.cc 64.28% 2 Missing and 3 partials ⚠️
src/permission/permission.cc 66.66% 0 Missing and 2 partials ⚠️
src/permission/permission_base.h 0.00% 2 Missing ⚠️
Additional details and impacted files
@@            Coverage Diff             @@
##             main   #62957      +/-   ##
==========================================
- Coverage   90.21%   90.17%   -0.05%     
==========================================
  Files         741      744       +3     
  Lines      241608   242218     +610     
  Branches    45534    45667     +133     
==========================================
+ Hits       217972   218424     +452     
- Misses      15154    15270     +116     
- Partials     8482     8524      +42     
Files with missing lines Coverage Δ
src/node_sqlite.h 81.25% <100.00%> (+0.60%) ⬆️
src/node_sqlite_vfs.h 100.00% <100.00%> (ø)
src/permission/fs_permission.h 90.00% <ø> (ø)
src/permission/permission.h 100.00% <ø> (ø)
src/permission/permission.cc 81.90% <66.66%> (-0.43%) ⬇️
src/permission/permission_base.h 0.00% <0.00%> (ø)
src/permission/fs_permission.cc 70.43% <64.28%> (+0.06%) ⬆️
src/node_sqlite.cc 80.79% <85.71%> (+0.07%) ⬆️
src/node_sqlite_vfs.cc 60.34% <60.34%> (ø)

... and 38 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mcollina mcollina force-pushed the sqlite-permission-checks branch from 8ffad93 to 877530d Compare April 25, 2026 19:10

@RafaelGSS RafaelGSS left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As long as it doesn't open precedence for reports targeting SQLite on permission model, I'm +1.

@louwers louwers left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I think this needs to take into account https://sqlite.org/uri.html

  • A database can be opened read-only with mode=ro or immutable=1.
  • Another way to create an in-memory database is with mode=memory.

Doing more string processing on the database path sounds a bit hacky though.

Edit: looks like we have not enabled SQLITE_USE_URI=1, but it would be good to leave a comment here that this needs to be updated when we do at the very least.

As long as it doesn't open precedence for reports targeting SQLite on permission model, I'm +1.

Passing a custom VFS to SQLite that can really prevent reads/writes might be a more comprehensive solution worth considering...

@mcollina

Copy link
Copy Markdown
Member Author

Passing a custom VFS to SQLite that can really prevent reads/writes might be a more comprehensive solution worth considering...

https://sqlite.org/vfs.html sounds really cool! I will take a look.

@mcollina mcollina marked this pull request as draft April 30, 2026 07:44
@mcollina mcollina marked this pull request as ready for review July 13, 2026 13:47
mcollina and others added 3 commits July 13, 2026 14:00
Add permission model enforcement to DatabaseSync::Open().
File-backed databases now check kFileSystemRead (readOnly) or
kFileSystemWrite (read-write) before calling sqlite3_open_v2.
In-memory databases (:memory:) are exempt.

Refs: https://hackerone.com/reports/3686625
Signed-off-by: Matteo Collina <matteo.collina@gmail.com>
Signed-off-by: Matteo Collina <matteo.collina@gmail.com>
@mcollina mcollina force-pushed the sqlite-permission-checks branch from 2bef788 to b1cfecf Compare July 13, 2026 15:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. sqlite Issues and PRs related to the SQLite subsystem.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants