src,permission: fix UNC path resolution

PR-URL: https://github.com/nodejs-private/node-private/pull/581
Fixes: https://hackerone.com/bugs?subject=nodejs&report_id=2079103
CVE-ID: CVE-2024-37372

src/permission/fs_permission.cc

@@ -49,15 +49,18 @@ bool is_tree_granted(
     const std::string_view& param) {
   std::string resolved_param = node::PathResolve(env, {param});
 #ifdef _WIN32
-  // is UNC file path
-  if (resolved_param.rfind("\\\\", 0) == 0) {
-    // return lookup with normalized param
-    size_t starting_pos = 4;  // "\\?\"
-    if (resolved_param.rfind("\\\\?\\UNC\\") == 0) {
-      starting_pos += 4;  // "UNC\"
-    }
-    auto normalized = param.substr(starting_pos);
-    return granted_tree->Lookup(normalized, true);
+  // Remove leading "\\?\" from UNC path
+  if (resolved_param.substr(0, 4) == "\\\\?\\") {
+    resolved_param.erase(0, 4);
+  }
+
+  // Remove leading "UNC\" from UNC path
+  if (resolved_param.substr(0, 4) == "UNC\\") {
+    resolved_param.erase(0, 4);
+  }
+  // Remove leading "//" from UNC path
+  if (resolved_param.substr(0, 2) == "//") {
+    resolved_param.erase(0, 2);
   }
 #endif
   return granted_tree->Lookup(resolved_param, true);

test/parallel/test-permission-fs-windows-path.js

@@ -38,3 +38,12 @@ if (!common.isWindows) {
   assert.strictEqual(stdout.toString(), 'true\n', stderr.toString());
   assert.strictEqual(status, 0);
 }
+
+{
+  const { stdout, status, stderr } = spawnSync(process.execPath, [
+    '--experimental-permission', '--allow-fs-write', 'C:\\*', '-e',
+    "console.log(process.permission.has('fs.write', '\\\\\\\\A\\\\C:\\Users'))",
+  ]);
+  assert.strictEqual(stdout.toString(), 'false\n', stderr.toString());
+  assert.strictEqual(status, 0);
+}