mirror of
https://github.com/jakejarvis/careful-downloader.git
synced 2025-04-26 03:05:23 -04:00
use more reliable is-path-in-cwd to prevent directory traversal
This commit is contained in:
parent
8f660a5b6f
commit
a652d3b660
GPG Key ID:
2B0C9CF251E69A39
3
index.js
3
index.js
@ -7,6 +7,7 @@ import got from "got";
|
||||
import sumchecker from "sumchecker";
|
||||
import decompress from "decompress";
|
||||
import urlParse from "url-parse";
|
||||
import isPathInCwd from "is-path-in-cwd";
|
||||
|
||||
export default async function downloader(downloadUrl, checksumUrl, options) {
|
||||
// intialize options if none are set
|
||||
@ -23,7 +24,7 @@ export default async function downloader(downloadUrl, checksumUrl, options) {
|
||||
};
|
||||
|
||||
// throw an error if destDir is outside of the module to prevent path traversal for security reasons
|
||||
if (!options.destDir.startsWith(process.cwd())) {
|
||||
if (!isPathInCwd(options.destDir)) {
|
||||
throw new Error(`destDir must be located within '${process.cwd()}', it's currently set to '${options.destDir}'.`);
|
||||
}
|
||||
|
||||
|
||||
@ -27,6 +27,7 @@
|
||||
"decompress": "^4.2.1",
|
||||
"fs-extra": "^10.0.0",
|
||||
"got": "^11.8.2",
|
||||
"is-path-in-cwd": "^4.0.0",
|
||||
"sumchecker": "^3.0.1",
|
||||
"tempy": "^2.0.0",
|
||||
"url-parse": "^1.5.3"
|
||||
|
||||
12
yarn.lock
12
yarn.lock
@ -1413,11 +1413,23 @@ is-path-cwd@^2.2.0:
|
||||
resolved "https://registry.yarnpkg.com/is-path-cwd/-/is-path-cwd-2.2.0.tgz#67d43b82664a7b5191fd9119127eb300048a9fdb"
|
||||
integrity sha512-w942bTcih8fdJPJmQHFzkS76NEP8Kzzvmw92cXsazb8intwLqPibPPdXf4ANdKV3rYMuuQYGIWtvz9JilB3NFQ==
|
||||
|
||||
is-path-in-cwd@^4.0.0:
|
||||
version "4.0.0"
|
||||
resolved "https://registry.yarnpkg.com/is-path-in-cwd/-/is-path-in-cwd-4.0.0.tgz#e5a97a09cf34655d7bab7204e6c3997d834ef0b6"
|
||||
integrity sha512-FjDhtYysbIKBKRFCQN8NcMaHHWfwAzJLOrRAhzd4hnK6Y1979p6ZthIUqdPjCyAk5jvrmY2fn56Y+kFE8RdsrA==
|
||||
dependencies:
|
||||
is-path-inside "^4.0.0"
|
||||
|
||||
is-path-inside@^3.0.2:
|
||||
version "3.0.3"
|
||||
resolved "https://registry.yarnpkg.com/is-path-inside/-/is-path-inside-3.0.3.tgz#d231362e53a07ff2b0e0ea7fed049161ffd16283"
|
||||
integrity sha512-Fd4gABb+ycGAmKou8eMftCupSir5lRxqf4aD/vd0cD2qc4HL07OjCeuHMr8Ro4CoMaeCKDB0/ECBOVWjTwUvPQ==
|
||||
|
||||
is-path-inside@^4.0.0:
|
||||
version "4.0.0"
|
||||
resolved "https://registry.yarnpkg.com/is-path-inside/-/is-path-inside-4.0.0.tgz#805aeb62c47c1b12fc3fd13bfb3ed1e7430071db"
|
||||
integrity sha512-lJJV/5dYS+RcL8uQdBDW9c9uWFLLBNRyFhnAKXw5tVqLlKZ4RMGZKv+YQ/IA3OhD+RpbJa1LLFM1FQPGyIXvOA==
|
||||
|
||||
is-plain-obj@^2.1.0:
|
||||
version "2.1.0"
|
||||
resolved "https://registry.yarnpkg.com/is-plain-obj/-/is-plain-obj-2.1.0.tgz#45e42e37fccf1f40da8e5f76ee21515840c09287"
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user