Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
44 changes: 37 additions & 7 deletions dist/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -346848,6 +346848,29 @@ function _generateTmpName(opts) {
return path.join(tmpDir, opts.dir, name);
}

/**
* Check the prefix, postfix, and template options.
*
* Rejects non-string inputs so that a non-string `.includes('..')` cannot evade
* the substring check (e.g. an Array whose `.includes('..')` is element-wise,
* or a duck-typed object with a custom `.includes`), and so that the value is
* not later coerced to a string with traversal sequences via `Array.prototype.join`
* or `path.join`.
*
* @private
*/
function _assertPath(option, value) {
if (typeof value !== 'string') {
throw new Error(`${option} option must be a string, got "${typeof value}".`);
}

if (value.includes("..")) {
throw new Error("Relative value not allowed");
}

return value;
}

/**
* Asserts and sanitizes the basic options.
*
Expand All @@ -346862,13 +346885,19 @@ function _assertOptionsBase(options) {

// must not fail on valid .<name> or ..<name> or similar such constructs
const basename = path.basename(name);
if (basename === '..' || basename === '.' || basename !== name)
if (basename === '..' || basename === '.' || basename !== name) {
throw new Error(`name option must not contain a path, found "${name}".`);
}
}

/* istanbul ignore else */
if (!_isUndefined(options.template) && !options.template.match(TEMPLATE_PATTERN)) {
throw new Error(`Invalid template, found "${options.template}".`);
if (!_isUndefined(options.template)) {
if (typeof options.template !== 'string') {
throw new Error(`template option must be a string, got "${typeof options.template}".`);
}
if (!options.template.match(TEMPLATE_PATTERN)) {
throw new Error(`Invalid template, found "${options.template}".`);
}
}

/* istanbul ignore else */
Expand All @@ -346884,8 +346913,9 @@ function _assertOptionsBase(options) {
options.unsafeCleanup = !!options.unsafeCleanup;

// for completeness' sake only, also keep (multiple) blanks if the user, purportedly sane, requests us to
options.prefix = _isUndefined(options.prefix) ? '' : options.prefix;
options.postfix = _isUndefined(options.postfix) ? '' : options.postfix;
options.prefix = _isUndefined(options.prefix) ? '' : _assertPath('prefix', options.prefix);
options.postfix = _isUndefined(options.postfix) ? '' : _assertPath('postfix', options.postfix);
options.template = _isUndefined(options.template) ? undefined : _assertPath('template', options.template);
}

/**
Expand All @@ -346901,7 +346931,7 @@ function _getRelativePath(option, name, tmpDir, cb) {

const relativePath = path.relative(tmpDir, resolvedPath);

if (!resolvedPath.startsWith(tmpDir)) {
if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {
return cb(new Error(`${option} option must be relative to "${tmpDir}", found "${relativePath}".`));
}

Expand All @@ -346920,7 +346950,7 @@ function _getRelativePathSync(option, name, tmpDir) {
const resolvedPath = _resolvePathSync(name, tmpDir);
const relativePath = path.relative(tmpDir, resolvedPath);

if (!resolvedPath.startsWith(tmpDir)) {
if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {
throw new Error(`${option} option must be relative to "${tmpDir}", found "${relativePath}".`);
}

Expand Down
2 changes: 1 addition & 1 deletion dist/index.js.map

Large diffs are not rendered by default.

6 changes: 3 additions & 3 deletions yarn.lock
Original file line number Diff line number Diff line change
Expand Up @@ -7283,9 +7283,9 @@ tmp-promise@^3.0.2:
tmp "^0.2.0"

tmp@^0.2.0:
version "0.2.5"
resolved "https://registry.yarnpkg.com/tmp/-/tmp-0.2.5.tgz#b06bcd23f0f3c8357b426891726d16015abfd8f8"
integrity sha512-voyz6MApa1rQGUxT3E+BK7/ROe8itEx7vD8/HEvt4xwXucvQ5G5oeEiHkmHZJuBO21RpOf+YYm9MOivj709jow==
version "0.2.7"
resolved "https://registry.yarnpkg.com/tmp/-/tmp-0.2.7.tgz#26f4db11d1601ce8012dcb8a798ece1c06a99059"
integrity "sha1-JvTbEdFgHOgBLcuKeY7OHAapkFk= sha512-e0votIpp4Uo2AJYSzVHV6xCcawuiez3DzqDAbrTc3YxBkplN6e+dM13ZeIcZnDg/QpSuU2zfZ3rzwY8ukEnaXw=="

tmpl@1.0.5:
version "1.0.5"
Expand Down
Loading