Skip to content

Commit

Permalink
Require files to be in given output directory
Browse files Browse the repository at this point in the history
  • Loading branch information
trptcolin committed Feb 27, 2020
1 parent 1a05f01 commit 3a60aaa
Show file tree
Hide file tree
Showing 4 changed files with 27 additions and 8 deletions.
Binary file modified fixtures/edge_case_dots.tar.gz
Binary file not shown.
Binary file added fixtures/slip.zip
Binary file not shown.
15 changes: 10 additions & 5 deletions index.js
Original file line number Diff line number Diff line change
Expand Up @@ -43,10 +43,6 @@ const extractFile = (input, output, opts) => runPlugins(input, opts).then(files

return Promise.all(files.map(x => {
const dest = path.join(output, x.path);
if (dest.match(/\.\.\//)) {
throw (new Error('File path contains "..":', dest));
}

const mode = x.mode & ~process.umask();
const now = new Date();

Expand All @@ -56,7 +52,16 @@ const extractFile = (input, output, opts) => runPlugins(input, opts).then(files
.then(() => x);
}

return makeDir(path.dirname(dest))
return makeDir(output)
.then(() => makeDir(path.dirname(dest)))
.then(() => {
return Promise.all([fsP.realpath(path.dirname(dest)), fsP.realpath(output)])
.then(([realDestinationDir, realOutputDir]) => {
if (realDestinationDir.indexOf(realOutputDir) !== 0) {
throw (new Error('Refusing to write outside output directory: ' + realDestinationDir));
}
});
})
.then(() => {
if (x.type === 'link') {
return fsP.link(x.linkname, dest);
Expand Down
20 changes: 17 additions & 3 deletions test.js
Original file line number Diff line number Diff line change
Expand Up @@ -107,11 +107,25 @@ test('return emptpy array if no plugins are set', async t => {
test('throw when a location outside the root is given', async t => {
await t.throwsAsync(async () => {
await m(path.join(__dirname, 'fixtures', 'slipping.tar.gz'), 'dist');
}, {message: /File path contains "\.\."/});
}, {message: /Refusing to write/});
});

test('allows filenames to be written with dots in them', async t => {
test('throw when a location outside the root including symlinks is given', async t => {
await t.throwsAsync(async () => {
await m(path.join(__dirname, 'fixtures', 'slip.zip'), 'dist');
}, {message: /Refusing to write/});
});

test('allows filenames and directories to be written with dots in their names', async t => {
const files = await m(path.join(__dirname, 'fixtures', 'edge_case_dots.tar.gz'), __dirname);
t.is(files.length, 3);
t.is(files.length, 6);
t.deepEqual(files.map(f => f.path).sort(), [
'edge_case_dots/',
'edge_case_dots/internal_dots..txt',
'edge_case_dots/sample../',
'edge_case_dots/ending_dots..',
'edge_case_dots/x',
'edge_case_dots/sample../test.txt'
].sort());
await fsP.rmdir(path.join(__dirname, 'edge_case_dots'), {recursive: true});
});

0 comments on commit 3a60aaa

Please sign in to comment.