Skip to content

Commit

Permalink
fix: prevent directory.man referencing outside the package root (#104)
Browse files Browse the repository at this point in the history 
## What / Why
The current `directories.man` handler allows to reach assets outside the
package scope.
```js
// expand directories.man
  if (steps.includes('mans') && !data.man && data.directories?.man) {
    const manDir = data.directories.man
    const cwd = path.resolve(pkg.path, manDir)
    const files = await lazyLoadGlob()('**/*.[0-9]', { cwd })
    data.man = files.map(man =>
      path.relative(pkg.path, path.join(cwd, man)).split(path.sep).join('/')
    )
```
```js
path.resolve(process.cwd(), '/') → '/' system root
```

## References
* continues npm/read-package-json#177
* relates #100
  • Loading branch information
@antongolub
antongolub authored May 24, 2024
1 parent 191b521 commit 3968292
Showing 1 changed file with 6 additions and 2 deletions.
8 changes: 6 additions & 2 deletions lib/normalize.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -103,6 +103,10 @@ function isValidScopedPackageName (spec) {
rest[1] === encodeURIComponent(rest[1])
}

function securePath (ref) {
return path.join('.', path.join('/', ref))
}

// We don't want the `changes` array in here by default because this is a hot
// path for parsing packuments during install. So the calling method passes it
// in if it wants to track changes.
Expand Down Expand Up @@ -327,7 +331,7 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })
// expand directories.man
if (steps.includes('mans') && !data.man && data.directories?.man) {
const manDir = data.directories.man
const cwd = path.resolve(pkg.path, manDir)
const cwd = path.resolve(pkg.path, securePath(manDir))
const files = await lazyLoadGlob()('**/*.[0-9]', { cwd })
data.man = files.map(man =>
path.relative(pkg.path, path.join(cwd, man)).split(path.sep).join('/')
Expand All @@ -340,7 +344,7 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })

// expand "directories.bin"
if (steps.includes('binDir') && data.directories?.bin && !data.bin) {
const binsDir = path.resolve(pkg.path, path.join('.', path.join('/', data.directories.bin)))
const binsDir = path.resolve(pkg.path, securePath(data.directories.bin))
const bins = await lazyLoadGlob()('**', { cwd: binsDir })
data.bin = bins.reduce((acc, binFile) => {
if (binFile && !binFile.startsWith('.')) {
Expand Down

0 comments on commit 3968292

Please sign in to comment.