From 1ebb83b091ccfd7d7f9ec8432d627ef57265f553 Mon Sep 17 00:00:00 2001
From: Anton Golub <golub.anton@gmail.com>
Date: Tue, 2 May 2023 19:30:33 +0300
Subject: [PATCH] fix: apply slash normalizer before bin path join (#41)

---
 lib/index.js   | 2 +-
 test/array.js  | 7 +++++++
 test/string.js | 7 +++++++
 3 files changed, 15 insertions(+), 1 deletion(-)

diff --git a/lib/index.js b/lib/index.js
index d6f0a58..3cb8478 100644
--- a/lib/index.js
+++ b/lib/index.js
@@ -41,7 +41,7 @@ const normalizeObject = pkg => {
       return
     }
 
-    const binTarget = join('/', orig[binKey])
+    const binTarget = join('/', orig[binKey].replace(/\\/g, '/'))
       .replace(/\\/g, '/').slice(1)
 
     if (!binTarget) {
diff --git a/test/array.js b/test/array.js
index 12fb4a5..7805a4f 100644
--- a/test/array.js
+++ b/test/array.js
@@ -39,3 +39,10 @@ t.test('dotty array', async t => {
   t.strictSame(normalize(pkg), expect)
   t.strictSame(normalize(normalize(pkg)), expect, 'double sanitize ok')
 })
+
+t.test('dotty array with backslashes', async t => {
+  const pkg = { name: 'hello', version: 'world', bin: ['..\\..\\..\\..\\etc\\passwd'] }
+  const expect = { name: 'hello', version: 'world', bin: { passwd: 'etc/passwd' } }
+  t.strictSame(normalize(pkg), expect)
+  t.strictSame(normalize(normalize(pkg)), expect, 'double sanitize ok')
+})
diff --git a/test/string.js b/test/string.js
index b6de8f8..3ce8e14 100644
--- a/test/string.js
+++ b/test/string.js
@@ -22,6 +22,13 @@ t.test('dotty string', async t => {
   t.strictSame(normalize(normalize(pkg)), expect, 'double sanitize ok')
 })
 
+t.test('dotty string with backslashes', async t => {
+  const pkg = { name: 'hello', version: 'world', bin: '..\\..\\..\\..\\etc\\passwd' }
+  const expect = { name: 'hello', version: 'world', bin: { hello: 'etc/passwd' } }
+  t.strictSame(normalize(pkg), expect)
+  t.strictSame(normalize(normalize(pkg)), expect, 'double sanitize ok')
+})
+
 t.test('double path', async t => {
   const pkg = { name: 'hello', version: 'world', bin: '/etc/passwd:/bin/usr/exec' }
   const expect = { name: 'hello', version: 'world', bin: { hello: 'etc/passwd:/bin/usr/exec' } }