permission: add permission check to realpath.native

Signed-off-by: RafaelGSS <rafael.nunu@hotmail.com>
PR-URL: nodejs-private/node-private#838
CVE-ID: CVE-2026-21715

Author: RafaelGSS

src/node_file.cc

@@ -1912,11 +1912,19 @@ static void RealPath(const FunctionCallbackInfo<Value>& args) {
 
   if (argc > 2) {  // realpath(path, encoding, req)
     FSReqBase* req_wrap_async = GetReqWrap(args, 2);
+    CHECK_NOT_NULL(req_wrap_async);
+    ASYNC_THROW_IF_INSUFFICIENT_PERMISSIONS(
+        env,
+        req_wrap_async,
+        permission::PermissionScope::kFileSystemRead,
+        path.ToStringView());
     FS_ASYNC_TRACE_BEGIN1(
         UV_FS_REALPATH, req_wrap_async, "path", TRACE_STR_COPY(*path))
     AsyncCall(env, req_wrap_async, args, "realpath", encoding, AfterStringPtr,
               uv_fs_realpath, *path);
   } else {  // realpath(path, encoding, undefined, ctx)
+    THROW_IF_INSUFFICIENT_PERMISSIONS(
+        env, permission::PermissionScope::kFileSystemRead, path.ToStringView());
     FSReqWrapSync req_wrap_sync("realpath", *path);
     FS_SYNC_TRACE_BEGIN(realpath);
     int err =

test/fixtures/permission/fs-read.js

@@ -480,4 +480,18 @@ const regularFile = __filename;
   fs.lstat(regularFile, (err) => {
     assert.ifError(err);
   });
+}
+
+// fs.realpath.native
+{
+  fs.realpath.native(blockedFile, common.expectsError({
+    code: 'ERR_ACCESS_DENIED',
+    permission: 'FileSystemRead',
+    resource: path.toNamespacedPath(blockedFile),
+  }));
+
+  // doesNotThrow
+  fs.realpath.native(regularFile, (err) => {
+    assert.ifError(err);
+  });
 }