Skip to content

Navigation Menu

Sign in
Appearance settings

Search code, repositories, users, issues, pull requests...

Provide feedback

We read every piece of feedback, and take your input very seriously.

Saved searches

Use saved searches to filter your results more quickly
Appearance settings

Commit 25a34f9

Browse filesBrowse files
isaacsisaacs
committed
fix: sanitize and validate bin and man link targets
1 parent 02bb9e1 commit 25a34f9
Copy full SHA for 25a34f9

1 file changed

+17-1Lines changed: 17 additions & 1 deletion

File tree

Expand file treeCollapse file tree
Open diff view settings
Filter options
Expand file treeCollapse file tree
Open diff view settings
Collapse file

‎index.js‎

Copy file name to clipboardExpand all lines: index.js
+17-1Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,13 @@ const read = BB.promisify(fs.read, {multiArgs: true})
1111
const chmod = BB.promisify(fs.chmod)
1212
const readFile = BB.promisify(fs.readFile)
1313
const writeFileAtomic = BB.promisify(require('write-file-atomic'))
14+
const normalize = require('npm-normalize-package-bin')
1415

1516
module.exports = BB.promisify(binLinks)
1617

1718
function binLinks (pkg, folder, global, opts, cb) {
19+
pkg = normalize(pkg)
20+
1821
// if it's global, and folder is in {prefix}/node_modules,
1922
// then bins are in {prefix}/bin
2023
// otherwise, then bins are in folder/../.bin
@@ -77,6 +80,12 @@ function linkBins (pkg, folder, parent, gtop, opts) {
7780
var dest = path.resolve(binRoot, bin)
7881
var src = path.resolve(folder, pkg.bin[bin])
7982

83+
/* istanbul ignore if - that unpossible */
84+
if (src.indexOf(folder) !== 0) {
85+
throw new Error('invalid bin entry for package ' +
86+
pkg._id + '. key=' + bin + ', value=' + pkg.bin[bin])
87+
}
88+
8089
return linkBin(src, dest, linkOpts).then(() => {
8190
// bins should always be executable.
8291
// XXX skip chmod on windows?
@@ -123,7 +132,8 @@ function linkMans (pkg, folder, parent, gtop, opts) {
123132
// make sure that the mans are unique.
124133
// otherwise, if there are dupes, it'll fail with EEXIST
125134
var set = pkg.man.reduce(function (acc, man) {
126-
acc[path.basename(man)] = man
135+
const cleanMan = path.join('/', man).replace(/\\|:/g, '/').substr(1)
136+
acc[path.basename(man)] = cleanMan
127137
return acc
128138
}, {})
129139
var manpages = pkg.man.filter(function (man) {
@@ -146,6 +156,12 @@ function linkMans (pkg, folder, parent, gtop, opts) {
146156
var sxn = parseMan[2]
147157
var bn = path.basename(stem)
148158
var manSrc = path.resolve(folder, man)
159+
/* istanbul ignore if - that unpossible */
160+
if (manSrc.indexOf(folder) !== 0) {
161+
throw new Error('invalid man entry for package ' +
162+
pkg._id + '. man=' + manSrc)
163+
}
164+
149165
var manDest = path.join(manRoot, 'man' + sxn, bn)
150166

151167
return linkIfExists(manSrc, manDest, getLinkOpts(opts, gtop && folder))

0 commit comments

Comments
0 (0)
Morty Proxy This is a proxified and sanitized view of the page, visit original site.