Skip to content

sqlite: add permission model checks to DatabaseSync#62957

Draft
mcollina wants to merge 1 commit intonodejs:mainfrom
mcollina:sqlite-permission-checks
Draft

sqlite: add permission model checks to DatabaseSync#62957
mcollina wants to merge 1 commit intonodejs:mainfrom
mcollina:sqlite-permission-checks

Conversation

@mcollina
Copy link
Copy Markdown
Member

@mcollina mcollina commented Apr 25, 2026

Add permission model enforcement to DatabaseSync::Open().

  • File-backed databases check kFileSystemRead (readOnly) or kFileSystemWrite (read-write) before calling sqlite3_open_v2.
  • In-memory databases (:memory:) are exempt.

Known limitation: db.exec() with ATTACH DATABASE SQL can still access arbitrary files at runtime. This would require parsing SQL to intercept ATTACH statements. Should we address that in this PR or a follow-up?

@nodejs-github-bot
Copy link
Copy Markdown
Collaborator

nodejs-github-bot commented Apr 25, 2026

Review requested:

  • @nodejs/security-wg
  • @nodejs/sqlite

@nodejs-github-bot nodejs-github-bot added c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. sqlite Issues and PRs related to the SQLite subsystem. labels Apr 25, 2026
@codecov
Copy link
Copy Markdown

codecov Bot commented Apr 25, 2026
edited
Loading

Codecov Report

❌ Patch coverage is 66.66667% with 3 lines in your changes missing coverage. Please review.
✅ Project coverage is 89.65%. Comparing base (ce6e451) to head (877530d).
⚠️ Report is 388 commits behind head on main.

Files with missing lines Patch % Lines
src/node_sqlite.cc 66.66% 3 Missing ⚠️
Additional details and impacted files 
@@            Coverage Diff             @@
##             main   #62957      +/-   ##
==========================================
- Coverage   89.65%   89.65%   -0.01%     
==========================================
  Files         676      706      +30     
  Lines      206578   219401   +12823     
  Branches    39562    42073    +2511     
==========================================
+ Hits       185216   196709   +11493     
- Misses      13475    14577    +1102     
- Partials     7887     8115     +228
Files with missing lines Coverage Δ
src/node_sqlite.cc 80.66% <66.66%> (-0.14%) ⬇️

... and 222 files with indirect coverage changes

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@mcollina
sqlite: add permission model checks to DatabaseSync
877530d 
Add permission model enforcement to DatabaseSync::Open().
File-backed databases now check kFileSystemRead (readOnly) or
kFileSystemWrite (read-write) before calling sqlite3_open_v2.
In-memory databases (:memory:) are exempt.

Refs: https://hackerone.com/reports/3686625
@mcollina mcollina force-pushed the sqlite-permission-checks branch from 8ffad93 to 877530d Compare April 25, 2026 19:10
RafaelGSS
RafaelGSS approved these changes Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@RafaelGSS RafaelGSS left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

As long as it doesn't open precedence for reports targeting SQLite on permission model, I'm +1.

louwers
louwers suggested changes Apr 26, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@louwers louwers left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hmm, I think this needs to take into account https://sqlite.org/uri.html

  • A database can be opened read-only with mode=ro or immutable=1.
  • Another way to create an in-memory database is with mode=memory.

Doing more string processing on the database path sounds a bit hacky though.

Edit: looks like we have not enabled SQLITE_USE_URI=1, but it would be good to leave a comment here that this needs to be updated when we do at the very least.

As long as it doesn't open precedence for reports targeting SQLite on permission model, I'm +1.

Passing a custom VFS to SQLite that can really prevent reads/writes might be a more comprehensive solution worth considering...

@mcollina
Copy link
Copy Markdown
Member Author

mcollina commented Apr 30, 2026

Passing a custom VFS to SQLite that can really prevent reads/writes might be a more comprehensive solution worth considering...

https://sqlite.org/vfs.html sounds really cool! I will take a look.

@mcollina mcollina marked this pull request as draft April 30, 2026 07:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RafaelGSS RafaelGSS RafaelGSS approved these changes

+1 more reviewer

@louwers louwers louwers requested changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

c++ Issues and PRs that require attention from people who are familiar with C++. needs-ci PRs that need a full CI run. sqlite Issues and PRs related to the SQLite subsystem.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@mcollina @nodejs-github-bot @louwers @RafaelGSS