fix #246: remove any double quotes or single quotes from os.tmpdir al…

…so sanitize dir option and template option
raszi · Apr 8, 2020 · 2fa52c0 · 2fa52c0
1 parent c7028f2
commit 2fa52c0
Show file tree

Hide file tree

Showing 3 changed files with 86 additions and 6 deletions.
diff --git a/lib/tmp.js b/lib/tmp.js
@@ -542,13 +542,28 @@ function _assertAndSanitizeOptions(options) {
  * @private
  */
 function _resolvePath(name, tmpDir) {
-  if (name.startsWith(tmpDir)) {
-    return path.resolve(name);
+  const sanitizedName = _sanitizeName(name);
+  if (sanitizedName.startsWith(tmpDir)) {
+    return path.resolve(sanitizedName);
   } else {
-    return path.resolve(path.join(tmpDir, name));
+    return path.resolve(path.join(tmpDir, sanitizedName));
   }
 }
 
+/**
+ * Sanitize the specified path name by removing all quote characters.
+ *
+ * @param name
+ * @returns {string}
+ * @private
+ */
+function _sanitizeName(name) {
+  if (_isBlank(name)) {
+    return name;
+  }
+  return name.replace(/["']/g, '');
+}
+
 /**
  * Asserts whether specified name is relative to the specified tmpDir.
  *
@@ -637,7 +652,7 @@ function setGracefulCleanup() {
  * @returns {string} the currently configured tmp dir
  */
 function _getTmpDir() {
-  return path.resolve(os.tmpdir());
+  return path.resolve(_sanitizeName(os.tmpdir()));
 }
 
 // Install process exit listener

diff --git a/test/name-sync-test.js b/test/name-sync-test.js
@@ -7,6 +7,7 @@ const
   inbandStandardTests = require('./name-inband-standard'),
   tmp = require('../lib/tmp');
 
+const isWindows = os.platform() === 'win32';
 
 describe('tmp', function () {
   describe('#tmpNameSync()', function () {
@@ -39,7 +40,9 @@ describe('tmp', function () {
       describe('on issue #176', function () {
         const origfn = os.tmpdir;
         it('must fail on invalid os.tmpdir()', function () {
-          os.tmpdir = function () { return undefined; };
+          os.tmpdir = function () {
+            return undefined;
+          };
           try {
             tmp.tmpNameSync();
             assert.fail('should have failed');
@@ -50,6 +53,35 @@ describe('tmp', function () {
           }
         });
       });
+      describe('on issue #246', function () {
+        const origfn = os.tmpdir;
+        it('must produce correct name on os.tmpdir() returning path that includes double quotes', function () {
+          const tmpdir = isWindows ? '"C:\\Temp With Spaces"' : '"/tmp with spaces"';
+          os.tmpdir = function () {
+            return tmpdir;
+          };
+          const name = tmp.tmpNameSync();
+          try {
+            assert.ok(name.indexOf('"') === -1);
+            assert.ok(name.startsWith(tmpdir.replace(/["']/g, '')));
+          } finally {
+            os.tmpdir = origfn;
+          }
+        });
+        it('must produce correct name on os.tmpdir() returning path that includes single quotes', function () {
+          const tmpdir = isWindows ? '\'C:\\Temp With Spaces\'' : '\'/tmp with spaces\'';
+          os.tmpdir = function () {
+            return tmpdir;
+          };
+          const name = tmp.tmpNameSync();
+          try {
+            assert.ok(name.indexOf('\'') === -1);
+            assert.ok(name.startsWith(tmpdir.replace(/["']/g, '')));
+          } finally {
+            os.tmpdir = origfn;
+          }
+        });
+      });
     });
 
     describe('when running standard outband tests', function () {

diff --git a/test/name-test.js b/test/name-test.js
@@ -7,6 +7,7 @@ const
   inbandStandardTests = require('./name-inband-standard'),
   tmp = require('../lib/tmp');
 
+const isWindows = os.platform() === 'win32';
 
 describe('tmp', function () {
   describe('#tmpName()', function () {
@@ -62,6 +63,39 @@ describe('tmp', function () {
           });
         });
       });
+      describe('on issue #246', function () {
+        const origfn = os.tmpdir;
+        it('must produce correct name on os.tmpdir() returning path that includes double quotes', function (done) {
+          const tmpdir = isWindows ? '"C:\\Temp With Spaces"' : '"/tmp with spaces"';
+          os.tmpdir = function () { return tmpdir; };
+          tmp.tmpName(function (err, name) {
+            try {
+              assert.ok(name.indexOf('"') === -1);
+              assert.ok(name.startsWith(tmpdir.replace(/["']/g, '')));
+            } catch (err) {
+              return done(err);
+            } finally {
+              os.tmpdir = origfn;
+            }
+            done();
+          });
+        });
+        it('must produce correct name on os.tmpdir() returning path that includes single quotes', function (done) {
+          const tmpdir = isWindows ? '\'C:\\Temp With Spaces\'' : '\'/tmp with spaces\'';
+          os.tmpdir = function () { return tmpdir; };
+          tmp.tmpName(function (err, name) {
+            try {
+              assert.ok(name.indexOf('\'') === -1);
+              assert.ok(name.startsWith(tmpdir.replace(/["']/g, '')));
+            } catch (err) {
+              return done(err);
+            } finally {
+              os.tmpdir = origfn;
+            }
+            done();
+          });
+        });
+      });
     });
 
     describe('when running standard outband tests', function () {
@@ -71,4 +105,3 @@ describe('tmp', function () {
     });
   });
 });
-