fix: prevent directory.man referencing outside the package root (#104)

antongolub · wraithgar · commit a974274402d2 · 2024-05-24T09:36:55.000-07:00
diff --git a/lib/normalize.js b/lib/normalize.js
@@ -103,6 +103,10 @@ function isValidScopedPackageName (spec) {
     rest[1] === encodeURIComponent(rest[1])
 }
 
+function securePath (ref) {
+  return path.join('.', path.join('/', ref))
+}
+
 // We don't want the `changes` array in here by default because this is a hot
 // path for parsing packuments during install.  So the calling method passes it
 // in if it wants to track changes.
@@ -327,7 +331,7 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })
   // expand directories.man
   if (steps.includes('mans') && !data.man && data.directories?.man) {
     const manDir = data.directories.man
-    const cwd = path.resolve(pkg.path, manDir)
+    const cwd = path.resolve(pkg.path, securePath(manDir))
     const files = await lazyLoadGlob()('**/*.[0-9]', { cwd })
     data.man = files.map(man =>
       path.relative(pkg.path, path.join(cwd, man)).split(path.sep).join('/')
@@ -340,7 +344,7 @@ const normalize = async (pkg, { strict, steps, root, changes, allowLegacyCase })
 
   // expand "directories.bin"
   if (steps.includes('binDir') && data.directories?.bin && !data.bin) {
-    const binsDir = path.resolve(pkg.path, path.join('.', path.join('/', data.directories.bin)))
+    const binsDir = path.resolve(pkg.path, securePath(data.directories.bin))
     const bins = await lazyLoadGlob()('**', { cwd: binsDir })
     data.bin = bins.reduce((acc, binFile) => {
       if (binFile && !binFile.startsWith('.')) {
