Skip to content

Commit 25a34f9

Browse files
isaacsisaacs
committed
fix: sanitize and validate bin and man link targets
1 parent 02bb9e1 commit 25a34f9

File tree

1 file changed

+17
-1
lines changed

1 file changed

+17
-1
lines changed

index.js

Lines changed: 17 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -11,10 +11,13 @@ const read = BB.promisify(fs.read, {multiArgs: true})
1111
const chmod = BB.promisify(fs.chmod)
1212
const readFile = BB.promisify(fs.readFile)
1313
const writeFileAtomic = BB.promisify(require('write-file-atomic'))
14+
const normalize = require('npm-normalize-package-bin')
1415

1516
module.exports = BB.promisify(binLinks)
1617

1718
function binLinks (pkg, folder, global, opts, cb) {
19+
pkg = normalize(pkg)
20+
1821
// if it's global, and folder is in {prefix}/node_modules,
1922
// then bins are in {prefix}/bin
2023
// otherwise, then bins are in folder/../.bin
@@ -77,6 +80,12 @@ function linkBins (pkg, folder, parent, gtop, opts) {
7780
var dest = path.resolve(binRoot, bin)
7881
var src = path.resolve(folder, pkg.bin[bin])
7982

83+
/* istanbul ignore if - that unpossible */
84+
if (src.indexOf(folder) !== 0) {
85+
throw new Error('invalid bin entry for package ' +
86+
pkg._id + '. key=' + bin + ', value=' + pkg.bin[bin])
87+
}
88+
8089
return linkBin(src, dest, linkOpts).then(() => {
8190
// bins should always be executable.
8291
// XXX skip chmod on windows?
@@ -123,7 +132,8 @@ function linkMans (pkg, folder, parent, gtop, opts) {
123132
// make sure that the mans are unique.
124133
// otherwise, if there are dupes, it'll fail with EEXIST
125134
var set = pkg.man.reduce(function (acc, man) {
126-
acc[path.basename(man)] = man
135+
const cleanMan = path.join('/', man).replace(/\\|:/g, '/').substr(1)
136+
acc[path.basename(man)] = cleanMan
127137
return acc
128138
}, {})
129139
var manpages = pkg.man.filter(function (man) {
@@ -146,6 +156,12 @@ function linkMans (pkg, folder, parent, gtop, opts) {
146156
var sxn = parseMan[2]
147157
var bn = path.basename(stem)
148158
var manSrc = path.resolve(folder, man)
159+
/* istanbul ignore if - that unpossible */
160+
if (manSrc.indexOf(folder) !== 0) {
161+
throw new Error('invalid man entry for package ' +
162+
pkg._id + '. man=' + manSrc)
163+
}
164+
149165
var manDest = path.join(manRoot, 'man' + sxn, bn)
150166

151167
return linkIfExists(manSrc, manDest, getLinkOpts(opts, gtop && folder))

0 commit comments

Comments
 (0)