Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: prevent directory.man referencing outside the package root #104

Merged
merged 1 commit into from
May 24, 2024
Merged

fix: prevent directory.man referencing outside the package root #104

merged 1 commit into from
May 24, 2024

Conversation

antongolub
Copy link
Contributor

@antongolub antongolub commented May 24, 2024
edited
Loading

What / Why

The current directories.man handler allows to reach assets outside the package scope.

// expand directories.man
  if (steps.includes('mans') && !data.man && data.directories?.man) {
    const manDir = data.directories.man
    const cwd = path.resolve(pkg.path, manDir)
    const files = await lazyLoadGlob()('**/*.[0-9]', { cwd })
    data.man = files.map(man =>
      path.relative(pkg.path, path.join(cwd, man)).split(path.sep).join('/')
    )
path.resolve(process.cwd(), '/')  '/' system root

References

@antongolub antongolub requested a review from a team as a code owner May 24, 2024 06:17
@antongolub antongolub mentioned this pull request May 24, 2024
Merged
@antongolub antongolub changed the title fix: prevent directory.man referencing outside the package root fix: prevent directory.man referencing outside the package root May 24, 2024
@wraithgar
Copy link
Member

Tests would normally be required but this use case is covered in #100 which we'll be landing next.

@wraithgar wraithgar merged commit 3968292 into npm:main May 24, 2024
27 checks passed
wraithgar pushed a commit that referenced this pull request May 24, 2024
@antongolub
refactor: add normalizePackageMan helper (#100)
c87260a 
## What / Why
Aligns normalization logic with `directories.bin`

See also:
https://github.com/npm/normalize-package-data/blob/main/lib/fixer.js#L105
```js
  fixManField: function (data) {
    if (!data.man) {
      return
    }
    if (typeof data.man === 'string') {
      data.man = [data.man]
    }
  },
```

## References
* continues npm/read-package-json#177
* relates #104

CC @wraithgar
wraithgar pushed a commit that referenced this pull request May 24, 2024
@antongolub @wraithgar
fix: add normalizePackageMan helper (#100)
59b8ccf 
Aligns normalization logic with `directories.bin`

See also:
https://github.com/npm/normalize-package-data/blob/main/lib/fixer.js#L105
```js
  fixManField: function (data) {
    if (!data.man) {
      return
    }
    if (typeof data.man === 'string') {
      data.man = [data.man]
    }
  },
```

* continues npm/read-package-json#177
* relates #104

CC @wraithgar
wraithgar pushed a commit that referenced this pull request May 24, 2024
@antongolub @wraithgar
fix: prevent directory.man referencing outside the package root (#104)
a974274
wraithgar pushed a commit that referenced this pull request May 24, 2024
@antongolub @wraithgar
fix: add normalizePackageMan helper (#100)
46c563b 
Aligns normalization logic with `directories.bin`

See also:
https://github.com/npm/normalize-package-data/blob/main/lib/fixer.js#L105
```js
  fixManField: function (data) {
    if (!data.man) {
      return
    }
    if (typeof data.man === 'string') {
      data.man = [data.man]
    }
  },
```

* continues npm/read-package-json#177
* relates #104

CC @wraithgar
@github-actions github-actions bot mentioned this pull request May 24, 2024
Merged
@antongolub antongolub mentioned this pull request May 24, 2024
Merged
wraithgar pushed a commit that referenced this pull request May 28, 2024
@antongolub
fix: apply securePath to package bin (#105)
54756d2 
## What / Why

* Aligns path normalization logic when processing `bin` and `man` refs.
* Fixes out of scope path traversals for `bin`

```js
function unixifyPath (ref) {
  return ref.replace(/\\|:/g, '/')
}

function securePath (ref) {
  const secured = path.join('.', path.join('/', unixifyPath(ref)))
  return secured.startsWith('.') ? '' : secured
}

function secureAndUnixifyPath (ref) {
  return unixifyPath(securePath(ref))
}
```

## References
continues
[#100](#100 (comment)),
#104
wraithgar pushed a commit that referenced this pull request May 29, 2024
@github-actions
chore: release 5.1.1 (#103)
e6c2bdd 
🤖 I have created a release *beep* *boop*
---


## [5.1.1](v5.1.0...v5.1.1)
(2024-05-28)

### Bug Fixes

*
[`54756d2`](54756d2)
[#105](#105) apply `securePath`
to package bin (#105) (@antongolub)
*
[`46c563b`](46c563b)
add `normalizePackageMan` helper (#100) (@antongolub)
*
[`a974274`](a974274)
prevent `directory.man` referencing outside the package root (#104)
(@antongolub)
*
[`191b521`](191b521)
[#102](#102) invalid scripts
warning fixed for undefined scripts (#102) (@milaninfy)

### Chores

*
[`45a2937`](45a2937)
[#98](#98) bump
@npmcli/template-oss to 4.22.0 (@lukekarrys)
*
[`90863c1`](90863c1)
[#98](#98) postinstall for
dependabot template-oss PR (@lukekarrys)

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wraithgar wraithgar wraithgar approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@antongolub @wraithgar