Skip to content

fix: apply securePath to package bin #105

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 1 commit into from
May 28, 2024
Merged

fix: apply securePath to package bin #105

merged 1 commit into from
May 28, 2024

Conversation

antongolub
Copy link
Contributor

@antongolub antongolub commented May 24, 2024
edited
Loading

What / Why

  • Aligns path normalization logic when processing bin and man refs.
  • Fixes out of scope path traversals for bin
function unixifyPath (ref) {
  return ref.replace(/\\|:/g, '/')
}

function securePath (ref) {
  const secured = path.join('.', path.join('/', unixifyPath(ref)))
  return secured.startsWith('.') ? '' : secured
}

function secureAndUnixifyPath (ref) {
  return unixifyPath(securePath(ref))
}

References

continues #100, #104

@antongolub antongolub requested a review from a team as a code owner May 24, 2024 17:00
@antongolub antongolub marked this pull request as draft May 24, 2024 17:03
@antongolub antongolub force-pushed the unixify-path branch 2 times, most recently from bc63e73 to 53e372c Compare May 24, 2024 18:13
@antongolub antongolub changed the title chore: apply unixifyPath helper to normalize bin and man refs fix: apply securePath to package bin May 24, 2024
@antongolub antongolub marked this pull request as ready for review May 24, 2024 18:26
@wraithgar wraithgar merged commit 54756d2 into npm:main May 28, 2024
@github-actions github-actions bot mentioned this pull request May 24, 2024
Merged
wraithgar pushed a commit that referenced this pull request May 29, 2024
@github-actions
chore: release 5.1.1 (#103)
e6c2bdd 
🤖 I have created a release *beep* *boop*
---


## [5.1.1](v5.1.0...v5.1.1)
(2024-05-28)

### Bug Fixes

*
[`54756d2`](54756d2)
[#105](#105) apply `securePath`
to package bin (#105) (@antongolub)
*
[`46c563b`](46c563b)
add `normalizePackageMan` helper (#100) (@antongolub)
*
[`a974274`](a974274)
prevent `directory.man` referencing outside the package root (#104)
(@antongolub)
*
[`191b521`](191b521)
[#102](#102) invalid scripts
warning fixed for undefined scripts (#102) (@milaninfy)

### Chores

*
[`45a2937`](45a2937)
[#98](#98) bump
@npmcli/template-oss to 4.22.0 (@lukekarrys)
*
[`90863c1`](90863c1)
[#98](#98) postinstall for
dependabot template-oss PR (@lukekarrys)

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
@remiposo remiposo mentioned this pull request Aug 18, 2024
Closed
1 task
@milaninfy milaninfy mentioned this pull request Sep 4, 2024
Merged
wraithgar pushed a commit that referenced this pull request Sep 17, 2024
@milaninfy
fix: hidden dir path clean up corrected (#119)
962b9e1 
Path normalization done in #105
resulted in the removal of `bin` paths that start with `. (hidden
directory)`. This PR corrects the path normalization to allow `bin`
paths that start with `. (hidden directory)`.


## References
Fixes #116 &
npm/cli#7728
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wraithgar wraithgar wraithgar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@antongolub @wraithgar