Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

fix: prevent directory.man referencing outside the package root #104

Merged
merged 1 commit into from
May 24, 2024

Conversation

antongolub
Copy link
Contributor

@antongolub antongolub commented May 24, 2024

What / Why

The current directories.man handler allows to reach assets outside the package scope.

// expand directories.man
  if (steps.includes('mans') && !data.man && data.directories?.man) {
    const manDir = data.directories.man
    const cwd = path.resolve(pkg.path, manDir)
    const files = await lazyLoadGlob()('**/*.[0-9]', { cwd })
    data.man = files.map(man =>
      path.relative(pkg.path, path.join(cwd, man)).split(path.sep).join('/')
    )
path.resolve(process.cwd(), '/')  '/' system root

References

@antongolub antongolub requested a review from a team as a code owner May 24, 2024 06:17
@antongolub antongolub changed the title fix: prevent directory.man referencing outside the package root fix: prevent directory.man referencing outside the package root May 24, 2024
@wraithgar
Copy link
Member

Tests would normally be required but this use case is covered in #100 which we'll be landing next.

@wraithgar wraithgar merged commit 3968292 into npm:main May 24, 2024
27 checks passed
wraithgar pushed a commit that referenced this pull request May 24, 2024
## What / Why
Aligns normalization logic with `directories.bin`

See also:
https://github.com/npm/normalize-package-data/blob/main/lib/fixer.js#L105
```js
  fixManField: function (data) {
    if (!data.man) {
      return
    }
    if (typeof data.man === 'string') {
      data.man = [data.man]
    }
  },
```

## References
* continues npm/read-package-json#177
* relates #104

CC @wraithgar
wraithgar pushed a commit that referenced this pull request May 24, 2024
Aligns normalization logic with `directories.bin`

See also:
https://github.com/npm/normalize-package-data/blob/main/lib/fixer.js#L105
```js
  fixManField: function (data) {
    if (!data.man) {
      return
    }
    if (typeof data.man === 'string') {
      data.man = [data.man]
    }
  },
```

* continues npm/read-package-json#177
* relates #104

CC @wraithgar
wraithgar pushed a commit that referenced this pull request May 24, 2024
Aligns normalization logic with `directories.bin`

See also:
https://github.com/npm/normalize-package-data/blob/main/lib/fixer.js#L105
```js
  fixManField: function (data) {
    if (!data.man) {
      return
    }
    if (typeof data.man === 'string') {
      data.man = [data.man]
    }
  },
```

* continues npm/read-package-json#177
* relates #104

CC @wraithgar
@github-actions github-actions bot mentioned this pull request May 24, 2024
wraithgar pushed a commit that referenced this pull request May 28, 2024
## What / Why

* Aligns path normalization logic when processing `bin` and `man` refs.
* Fixes out of scope path traversals for `bin`

```js
function unixifyPath (ref) {
  return ref.replace(/\\|:/g, '/')
}

function securePath (ref) {
  const secured = path.join('.', path.join('/', unixifyPath(ref)))
  return secured.startsWith('.') ? '' : secured
}

function secureAndUnixifyPath (ref) {
  return unixifyPath(securePath(ref))
}
```

## References
continues
[#100](#100 (comment)),
#104
wraithgar pushed a commit that referenced this pull request May 29, 2024
🤖 I have created a release *beep* *boop*
---


## [5.1.1](v5.1.0...v5.1.1)
(2024-05-28)

### Bug Fixes

*
[`54756d2`](54756d2)
[#105](#105) apply `securePath`
to package bin (#105) (@antongolub)
*
[`46c563b`](46c563b)
add `normalizePackageMan` helper (#100) (@antongolub)
*
[`a974274`](a974274)
prevent `directory.man` referencing outside the package root (#104)
(@antongolub)
*
[`191b521`](191b521)
[#102](#102) invalid scripts
warning fixed for undefined scripts (#102) (@milaninfy)

### Chores

*
[`45a2937`](45a2937)
[#98](#98) bump
@npmcli/template-oss to 4.22.0 (@lukekarrys)
*
[`90863c1`](90863c1)
[#98](#98) postinstall for
dependabot template-oss PR (@lukekarrys)

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants