fix: prevent `directory.man` referencing outside the package root - Githubissues

npm / package-json

Programmatic API to update package.json

Other

68 stars 10 forks source link

fix: prevent `directory.man` referencing outside the package root #104

Closed antongolub closed 5 months ago

antongolub commented 5 months ago

What / Why

The current directories.man handler allows to reach assets outside the package scope.

// expand directories.man
  if (steps.includes('mans') && !data.man && data.directories?.man) {
    const manDir = data.directories.man
    const cwd = path.resolve(pkg.path, manDir)
    const files = await lazyLoadGlob()('**/*.[0-9]', { cwd })
    data.man = files.map(man =>
      path.relative(pkg.path, path.join(cwd, man)).split(path.sep).join('/')
    )

path.resolve(process.cwd(), '/') → '/' system root

References

continues https://github.com/npm/read-package-json/pull/177
relates https://github.com/npm/package-json/pull/100

wraithgar commented 5 months ago

Tests would normally be required but this use case is covered in https://github.com/npm/package-json/pull/100 which we'll be landing next.