403

ardatan · Feb 11, 2025 · f223f8e · f223f8e
1 parent ab82e44
commit f223f8e
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 2 deletions.
diff --git a/packages/node-fetch/src/fetch.ts b/packages/node-fetch/src/fetch.ts
@@ -13,6 +13,7 @@ const BASE64_SUFFIX = ';base64';
 async function getResponseForFile(url: string) {
   const path = fileURLToPath(url);
   try {
+    await fsPromises.access(path, fsPromises.constants.R_OK);
     const stats = await fsPromises.stat(path, {
       bigint: true,
     });

diff --git a/packages/node-fetch/tests/non-http-fetch.spec.ts b/packages/node-fetch/tests/non-http-fetch.spec.ts
@@ -1,4 +1,6 @@
 import { Buffer } from 'node:buffer';
+import { unlinkSync, writeFileSync } from 'node:fs';
+import { tmpdir } from 'node:os';
 import { join } from 'node:path';
 import { pathToFileURL } from 'node:url';
 import { describe, expect, it } from '@jest/globals';
@@ -20,8 +22,15 @@ describe('File protocol', () => {
     expect(response.status).toBe(404);
   });
   it('returns 403 if file is not accessible', async () => {
-    const response = await fetchPonyfill(pathToFileURL('/etc/shadow'));
-    expect(response.status).toBe(403);
+    const tmpDir = tmpdir();
+    const path = join(tmpDir, 'forbidden.json');
+    writeFileSync(path, '{ "test": 1 }', { mode: 0o000 });
+    try {
+      const response = await fetchPonyfill(pathToFileURL(path));
+      expect(response.status).toBe(403);
+    } finally {
+      unlinkSync(path);
+    }
   });
 });