Skip to content

Commit

Permalink
fix: path traversal on windows
Browse files Browse the repository at this point in the history
  • Loading branch information
j4k0xb committed Aug 14, 2024
1 parent 73d8afb commit e3326a4
Show file tree
Hide file tree
Showing 3 changed files with 34 additions and 5 deletions.
5 changes: 1 addition & 4 deletions packages/webcrack/src/unpack/bundle.ts
Original file line number Diff line number Diff line change
@@ -1,11 +1,8 @@
import traverse from '@babel/traverse';
import type * as m from '@codemod/matchers';
import { posix } from 'node:path';
import { dirname, join, normalize } from 'node:path';
import type { Module } from './module';

// eslint-disable-next-line @typescript-eslint/unbound-method
const { dirname, join, normalize } = posix;

export class Bundle {
type: 'webpack' | 'browserify';
entryId: string;
Expand Down
Original file line number Diff line number Diff line change
@@ -0,0 +1,20 @@
(function (e) {
var n = {};
function o(r) {
if (n[r]) {
return n[r].exports;
}
var a = (n[r] = {
i: r,
l: false,
exports: {},
});
e[r].call(a.exports, a, a.exports, o);
a.l = true;
return a.exports;
}
o.p = '';
o((o.s = 386));
})({
'./\\..\\node_modules\\debug\\src\\index': function (e, t, n) {},
});
14 changes: 13 additions & 1 deletion packages/webcrack/src/unpack/test/unpack.test.ts
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ test('path mapping', async () => {
expect(bundle!).toMatchSnapshot();
});

test('prevent path traversal', async () => {
test('prevent path traversal (posix)', async () => {
const code = await readFile(
join(SAMPLES_DIR, 'webpack-path-traversal.js'),
'utf8',
Expand All @@ -37,3 +37,15 @@ test('prevent path traversal', async () => {
const dir = join(tmpdir(), 'path-traversal-test');
await expect(bundle!.save(dir)).rejects.toThrow('path traversal');
});

test('prevent path traversal (windows)', async () => {
const code = await readFile(
join(SAMPLES_DIR, 'webpack-path-traversal-windows.js'),
'utf8',
);
const bundle = unpack(code);
expect(bundle).toBeDefined();

const dir = join(tmpdir(), 'path-traversal-test');
await expect(bundle!.save(dir)).rejects.toThrow('path traversal');
});

0 comments on commit e3326a4

Please sign in to comment.