diff --git a/index.js b/index.js index a52ae66..da0b3ad 100644 --- a/index.js +++ b/index.js @@ -7,6 +7,7 @@ import got from "got"; import sumchecker from "sumchecker"; import decompress from "decompress"; import urlParse from "url-parse"; +import isPathInCwd from "is-path-in-cwd"; export default async function downloader(downloadUrl, checksumUrl, options) { // intialize options if none are set @@ -23,7 +24,7 @@ export default async function downloader(downloadUrl, checksumUrl, options) { }; // throw an error if destDir is outside of the module to prevent path traversal for security reasons - if (!options.destDir.startsWith(process.cwd())) { + if (!isPathInCwd(options.destDir)) { throw new Error(`destDir must be located within '${process.cwd()}', it's currently set to '${options.destDir}'.`); } diff --git a/package.json b/package.json index a42e7bd..6005d78 100644 --- a/package.json +++ b/package.json @@ -27,6 +27,7 @@ "decompress": "^4.2.1", "fs-extra": "^10.0.0", "got": "^11.8.2", + "is-path-in-cwd": "^4.0.0", "sumchecker": "^3.0.1", "tempy": "^2.0.0", "url-parse": "^1.5.3" diff --git a/yarn.lock b/yarn.lock index 0e51d39..bdff3c1 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1413,11 +1413,23 @@ is-path-cwd@^2.2.0: resolved "https://registry.yarnpkg.com/is-path-cwd/-/is-path-cwd-2.2.0.tgz#67d43b82664a7b5191fd9119127eb300048a9fdb" integrity sha512-w942bTcih8fdJPJmQHFzkS76NEP8Kzzvmw92cXsazb8intwLqPibPPdXf4ANdKV3rYMuuQYGIWtvz9JilB3NFQ== +is-path-in-cwd@^4.0.0: + version "4.0.0" + resolved "https://registry.yarnpkg.com/is-path-in-cwd/-/is-path-in-cwd-4.0.0.tgz#e5a97a09cf34655d7bab7204e6c3997d834ef0b6" + integrity sha512-FjDhtYysbIKBKRFCQN8NcMaHHWfwAzJLOrRAhzd4hnK6Y1979p6ZthIUqdPjCyAk5jvrmY2fn56Y+kFE8RdsrA== + dependencies: + is-path-inside "^4.0.0" + is-path-inside@^3.0.2: version "3.0.3" resolved "https://registry.yarnpkg.com/is-path-inside/-/is-path-inside-3.0.3.tgz#d231362e53a07ff2b0e0ea7fed049161ffd16283" integrity sha512-Fd4gABb+ycGAmKou8eMftCupSir5lRxqf4aD/vd0cD2qc4HL07OjCeuHMr8Ro4CoMaeCKDB0/ECBOVWjTwUvPQ== +is-path-inside@^4.0.0: + version "4.0.0" + resolved "https://registry.yarnpkg.com/is-path-inside/-/is-path-inside-4.0.0.tgz#805aeb62c47c1b12fc3fd13bfb3ed1e7430071db" + integrity sha512-lJJV/5dYS+RcL8uQdBDW9c9uWFLLBNRyFhnAKXw5tVqLlKZ4RMGZKv+YQ/IA3OhD+RpbJa1LLFM1FQPGyIXvOA== + is-plain-obj@^2.1.0: version "2.1.0" resolved "https://registry.yarnpkg.com/is-plain-obj/-/is-plain-obj-2.1.0.tgz#45e42e37fccf1f40da8e5f76ee21515840c09287"