Check for relative values · raszi/node-tmp@7ef2728 (original) (raw)

`@@ -525,6 +525,19 @@ function _generateTmpName(opts) {

`

525

525

`return path.join(tmpDir, opts.dir, name);

`

526

526

`}

`

527

527

``

``

528

`+

/**

`

``

529

`+

`

``

530

`+

`

``

531

`+

`

``

532

`+

*/

`

``

533

`+

function _assertPath(path) {

`

``

534

`+

if (path.includes("..")) {

`

``

535

`+

throw new Error("Relative value not allowed");

`

``

536

`+

}

`

``

537

+

``

538

`+

return path;

`

``

539

`+

}

`

``

540

+

528

541

`/**

`

529

542

` * Asserts and sanitizes the basic options.

`

530

543

` *

`

`@@ -539,8 +552,9 @@ function _assertOptionsBase(options) {

`

539

552

``

540

553

`// must not fail on valid . or .. or similar such constructs

`

541

554

`const basename = path.basename(name);

`

542

``

`-

if (basename === '..' || basename === '.' || basename !== name)

`

``

555

`+

if (basename === '..' || basename === '.' || basename !== name) {

`

543

556

`` throw new Error(name option must not contain a path, found "${name}".);

``

``

557

`+

}

`

544

558

`}

`

545

559

``

546

560

`/* istanbul ignore else */

`

`@@ -561,8 +575,9 @@ function _assertOptionsBase(options) {

`

561

575

`options.unsafeCleanup = !!options.unsafeCleanup;

`

562

576

``

563

577

`// for completeness' sake only, also keep (multiple) blanks if the user, purportedly sane, requests us to

`

564

``

`-

options.prefix = _isUndefined(options.prefix) ? '' : options.prefix;

`

565

``

`-

options.postfix = _isUndefined(options.postfix) ? '' : options.postfix;

`

``

578

`+

options.prefix = _isUndefined(options.prefix) ? '' : _assertPath(options.prefix);

`

``

579

`+

options.postfix = _isUndefined(options.postfix) ? '' : _assertPath(options.postfix);

`

``

580

`+

options.template = _isUndefined(options.template) ? undefined : _assertPath(options.template);

`

566

581

`}

`

567

582

``

568

583

`/**

`

`@@ -578,7 +593,7 @@ function _getRelativePath(option, name, tmpDir, cb) {

`

578

593

``

579

594

`const relativePath = path.relative(tmpDir, resolvedPath);

`

580

595

``

581

``

`-

if (!resolvedPath.startsWith(tmpDir)) {

`

``

596

`+

if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {

`

582

597

`` return cb(new Error(${option} option must be relative to "${tmpDir}", found "${relativePath}".));

``

583

598

`}

`

584

599

``

`@@ -597,7 +612,7 @@ function _getRelativePathSync(option, name, tmpDir) {

`

597

612

`const resolvedPath = _resolvePathSync(name, tmpDir);

`

598

613

`const relativePath = path.relative(tmpDir, resolvedPath);

`

599

614

``

600

``

`-

if (!resolvedPath.startsWith(tmpDir)) {

`

``

615

`+

if (relativePath.startsWith('..') || path.isAbsolute(relativePath)) {

`

601

616

`` throw new Error(${option} option must be relative to "${tmpDir}", found "${relativePath}".);

``

602

617

`}

`

603

618

``