arborist: sanitize packageName in path construction for linked strategy#9078
Open
KevinZhao wants to merge 1 commit intonpm:latestfrom
Open
arborist: sanitize packageName in path construction for linked strategy#9078KevinZhao wants to merge 1 commit intonpm:latestfrom
KevinZhao wants to merge 1 commit intonpm:latestfrom
Conversation
Member
You're gonna need to undo this in order for us to review this. The cli has its own linting rules and linter. |
Add sanitizeName() to strip path traversal sequences from package names before using them in filesystem path construction. Applied at all 9 locations where packageName is interpolated into path.join() calls.
KevinZhao
force-pushed
the
fix/sanitize-package-name-paths-v2
branch
from
c2bdfde to
9469012
Compare
Author
|
Done — force-pushed a clean commit. The diff now contains only the |
Member
|
This problem is solved elsewhere by using @npmcli/name-from-folder. Our pretend nodes need this, and probably need a better |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Add
sanitizeName()to strip path traversal sequences (../) from package names before using them in filesystem path construction inisolated-reifier.js.Package names from
package-lock.jsonare used directly inpath.join()calls, which resolves../sequences. This adds sanitization at all 9 locations wherepackageNameis interpolated into paths.Changes
sanitizeName()helper that replaces../with_and strips leading/getKey(),#generateChild(),#externalProxy(),#assignCommonProperties(),createIsolatedTree(),#processEdges(),#processDeps()Test plan
sanitizeName("../../../../tmp/foo")returns____tmp/foosanitizeName("@scope/name")returns@scope/name(scoped packages unaffected)sanitizeName("normal-package")returnsnormal-package(no-op for valid names)