Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Prevent directory traversal #73

Merged
merged 11 commits into from Apr 1, 2020
Merged

Prevent directory traversal #73

merged 11 commits into from Apr 1, 2020

Commits on Feb 27, 2020

  1. Get tests back to passing with ava/xo releases

    @trptcolin
    trptcolin committed Feb 27, 2020
    Copy the full SHA
    7b9f484 View commit details
    Browse the repository at this point in the history

  2. Throw rather than allowing directory traversal

    @trptcolin
    trptcolin committed Feb 27, 2020
    Copy the full SHA
    3788e03 View commit details
    Browse the repository at this point in the history

  3. Handle dots within filenames

    @trptcolin
    trptcolin committed Feb 27, 2020
    Copy the full SHA
    1a05f01 View commit details
    Browse the repository at this point in the history

  4. Require files to be in given output directory

    @trptcolin
    trptcolin committed Feb 27, 2020
    Copy the full SHA
    3a60aaa View commit details
    Browse the repository at this point in the history

  5. Update tested node versions

    @trptcolin
    trptcolin committed Feb 27, 2020
    Copy the full SHA
    432db78 View commit details
    Browse the repository at this point in the history

  6. Prevent directories creation outside output path

    @trptcolin
    trptcolin committed Feb 27, 2020
    Copy the full SHA
    8850e7e View commit details
    Browse the repository at this point in the history

  7. Accommodate Node 10's fs.rmdir API with rimraf 

    Also ensures cleanup of decompressed files/directories.

Removes Node 8 from the build matrix. The current version of ava is not
compatible with Node 8, and Node 8 is in general now at end-of-life.
    @trptcolin
    trptcolin committed Feb 27, 2020
    Copy the full SHA
    949027c View commit details
    Browse the repository at this point in the history

  8. Add Node 13 to the build matrix

    @trptcolin
    trptcolin committed Feb 27, 2020
    Copy the full SHA
    2d797ce View commit details
    Browse the repository at this point in the history

Commits on Feb 28, 2020

  1. Prevent file writes through a symlink 

    When applied to a path containing a symlink, `fs.writeFile` will write
to the place that symlink points.
    @trptcolin
    trptcolin committed Feb 28, 2020
    Copy the full SHA
    325a071 View commit details
    Browse the repository at this point in the history

Commits on Feb 29, 2020

  1. Prevent writing a file through a symlink 

    Because `fs.realpath` requires an actual file to exist, we can't rely on
it to detect if a symlink might point outside the output directory.

Traversing chains of symlinks, where the targets might be relative or
absolute, missing or not, gets complicated very quickly. And because
the behavior is generally surprising, of file creation writing through
to a pre-existing symlink's target, it seems preferable to disallow that
behavior.
    @trptcolin
    trptcolin committed Feb 29, 2020
    Copy the full SHA
    a043c4b View commit details
    Browse the repository at this point in the history

  2. Remove environment-specific test 

    This was useful on MacOS to expose a bug, where `/tmp` was symlinked to
`/private/tmp`, but because the build runs on a Linux host where
`/private` is inaccessible and the preceding test does the trick, we can
lose this in CI.
    @trptcolin
    trptcolin committed Feb 29, 2020
    Copy the full SHA
    49d83eb View commit details
    Browse the repository at this point in the history