permission: check symlink target in cpSync (incomplete CVE-2025-55130)

[fg0x0]

What

Add permission checks for symlink target paths in CpSyncCopyDir (src/node_file.cc).

Why

fs.cpSync with recursive: true copies symlinks via std::filesystem::create_symlink() and copy_symlink() without validating the symlink target against the permission model. This allows reading and writing files outside permitted paths through copied symlinks.

fs.symlinkSync was fixed for this in the CVE-2025-55130 patch (lines 1353-1357) but the same check was not added to cpSync.

Reproduction

mkdir -p /tmp/allowed/src /tmp/allowed/dest /tmp/denied
echo SECRET > /tmp/denied/secret.txt
ln -sf /tmp/denied/secret.txt /tmp/allowed/src/link

node --permission \
  --allow-fs-read=/tmp/allowed --allow-fs-write=/tmp/allowed \
  --allow-fs-read=/usr --allow-fs-read=/lib -e '
const fs = require("node:fs");
try { fs.readFileSync("/tmp/denied/secret.txt"); } catch(e) { console.log("blocked:", e.code); }
try { fs.symlinkSync("/tmp/denied/secret.txt", "/tmp/allowed/dest/link"); } catch(e) { console.log("blocked:", e.code); }
fs.cpSync("/tmp/allowed/src/", "/tmp/allowed/dest/", { recursive: true });
console.log("read:", fs.readFileSync("/tmp/allowed/dest/link", "utf8").trim());
'

Output (before fix):

blocked: ERR_ACCESS_DENIED
blocked: ERR_ACCESS_DENIED
read: SECRET

How

Added permission checks using env->permission()->is_granted() for both kFileSystemRead and kFileSystemWrite on the resolved symlink target before:

• create_symlink() call (line ~3819)
• create_directory_symlink() call (line ~3822)
• copy_symlink() call in the verbatimSymlinks path (line ~3754)

Test

Added test/parallel/test-fs-cp-permission-symlink.js which verifies that fs.cpSync throws ERR_ACCESS_DENIED when copying a directory containing a symlink pointing outside the allowed permission paths.

Fixes: #63179
Refs: CVE-2025-55130