permission: add path separator to loader check

Author: RafaelGSS

lib/internal/modules/cjs/loader.js

@@ -423,7 +423,7 @@ function readPackageScope(checkPath) {
     checkPath = StringPrototypeSlice(checkPath, 0, separatorIndex);
     // Stop the search when the process doesn't have permissions
     // to walk upwards
-    if (enabledPermission && !permission.has('fs.read', checkPath)) {
+    if (enabledPermission && !permission.has('fs.read', checkPath + sep)) {
       return false;
     }
     if (StringPrototypeEndsWith(checkPath, sep + 'node_modules'))

test/fixtures/permission/loader/index.js

@@ -0,0 +1,3 @@
+const fs = require('node:fs');
+
+fs.readFile('/etc/passwd', () => {});

test/parallel/test-cli-permission-deny-fs.js

@@ -1,9 +1,12 @@
 'use strict';
 
 require('../common');
+
+const fixtures = require('../common/fixtures');
 const { spawnSync } = require('child_process');
 const assert = require('assert');
 const fs = require('fs');
+const path = require('path');
 
 {
   const { status, stdout } = spawnSync(
@@ -126,3 +129,21 @@ const fs = require('fs');
   assert.strictEqual(status, 1);
   assert.ok(!fs.existsSync('permission-deny-example.md'));
 }
+
+{
+  const firstPath = path.sep + process.cwd().split(path.sep, 2)[1];
+  if (firstPath.startsWith('/etc')) {
+    common.skip('/etc as firstPath');
+  }
+  const file = fixtures.path('permission', 'loader', 'index.js');
+  const { status, stderr } = spawnSync(
+    process.execPath,
+    [
+      '--experimental-permission',
+      `--allow-fs-read=${firstPath}`,
+      file,
+    ]
+  );
+  assert.match(stderr.toString(), /resource:\s+'\/etc\/passwd'/);
+  assert.strictEqual(status, 1);
+}