`write` can write outside the output directory

jkcfg / jk

Configuration as Code with ECMAScript

https://jkcfg.github.io

Apache License 2.0

404 stars 30 forks source link

`write` can write outside the output directory #345

Closed squaremo closed 4 years ago

squaremo commented 4 years ago

read can only read from the directory you give it .. but write can write to parent paths. It should be sandboxed in the same way as read.

squaremo commented 4 years ago

NB for jk transform, the requirement is that it is able to write to exactly the files that were passed in. For anything else, only writes to the output directory are allowed.