fs.globSync can't traverse on allowed directory by specific `--allow-fs-read`

[louiellan]

Version

22.22.0 (22.x), 24.13.0 (24.x), 25.4.0 (25.x)

Platform

Linux louiellan-IdeaPad-3-15ITL6 6.14.0-37-generic #37~24.04.1-Ubuntu SMP PREEMPT_DYNAMIC Thu Nov 20 10:25:38 UTC 2 x86_64 x86_64 x86_64 GNU/Linux

Subsystem

fs, permission

What steps will reproduce the bug?

Create the file

sample1.js
(throws ERR_ACCESS_DENIED)

const fs = require('fs')
console.log(fs.globSync('somedir/*'));

Directory Structure

somedir
|--> file1.js
sample1.js

Run the following commands:

node --permission --allow-fs-read=somedir/ ./sample1.js

How often does it reproduce? Is there a required condition?

The bug consistently reproduces if the --allow-fs-read is given a specific directory such as somedir/, but not with the allow all *

What is the expected behavior? Why is that the expected behavior?

1. fs.globSync should not throw an ERR_ACCESS_DENIED as it has a read access to that given directory
2. fs.glob (both from node:fs/promises and node:fs) doesn't throw the error given the same glob pattern

---

Code snippet for checking fs.glob working as intended
sample2.js
(works just fine - for comparison)

const fsPromise = require('fs/promises'); 
(async () => {
for await (const entry of fsPromise.glob('somedir/*')) {
    console.log(entry);
}})();

sample3.js
(works just fine - for comparison)

const fs = require('node:fs');
fs.glob('somedir/*', (err, matches) => {
    if (err) throw err;
    console.log(matches);
});

Running the files

node --permission --allow-fs-read=somedir/ ./sample2.js
node --permission --allow-fs-read=somedir/ ./sample3.js

What do you see instead?

node:fs:1676
    throw new ERR_ACCESS_DENIED('Access to this API has been restricted', 'FileSystemRead', resource);
    ^
Error [ERR_ACCESS_DENIED]: Access to this API has been restricted
    at lstatSync (node:fs:1676:11)
    at getDirentSync (node:internal/fs/glob:68:16)
    at Cache.statSync (node:internal/fs/glob:134:17)
    at #addSubpatterns (node:internal/fs/glob:362:30)
    at Glob.globSync (node:internal/fs/glob:312:29)
    at Object.globSync (node:fs:3201:37)
    at Object.<anonymous> (/home/louiellan/Projects/node/sample.js:2:16)
    at Module._compile (node:internal/modules/cjs/loader:1803:14)
    at Object..js (node:internal/modules/cjs/loader:1934:10)
    at Module.load (node:internal/modules/cjs/loader:1524:32) {
  code: 'ERR_ACCESS_DENIED',
  permission: 'FileSystemRead',
  resource: '/home/louiellan/Projects/node'
}

Additional information

came across this when @RafaelGSS suggested to include permission model tests while using glob on --watch-path
Refs: #59478

[RafaelGSS]

Does somedir exists previously? if not, try with --allow-fs-read="somedir/*". I'm not on my computer to test it right now.