Skip to content

refactor: add normalizePackageMan helper#100

Merged
wraithgar merged 1 commit intonpm:mainfrom
antongolub-forks:fix-mandir-scope
May 24, 2024
Merged

refactor: add normalizePackageMan helper#100
wraithgar merged 1 commit intonpm:mainfrom
antongolub-forks:fix-mandir-scope

Conversation

@antongolub
Copy link
Copy Markdown
Contributor

@antongolub antongolub commented May 18, 2024
edited
Loading

What / Why

Aligns normalization logic with directories.bin

See also: https://github.com/npm/normalize-package-data/blob/main/lib/fixer.js#L105

  fixManField: function (data) {
    if (!data.man) {
      return
    }
    if (typeof data.man === 'string') {
      data.man = [data.man]
    }
  },

References

CC @wraithgar

@antongolub antongolub requested a review from a team as a code owner May 18, 2024 11:27
wraithgar
wraithgar reviewed May 23, 2024
View reviewed changes
Comment thread lib/normalize.js
@wraithgar
Copy link
Copy Markdown
Contributor

wraithgar commented May 23, 2024
edited
Loading

Looks like the tests aren't passing in Windows because of the classic / vs \ problem.

ETA: Look for the lines in the bin normalization code like: binKey.replace(/\\|:/g, '/') for how we deal with that there.

@antongolub antongolub mentioned this pull request May 24, 2024
Merged
@antongolub antongolub changed the title fix: prevent directory.man referencing outside the package root refactor: add normalizePackageMan helper May 24, 2024
@antongolub
Copy link
Copy Markdown
Contributor Author

antongolub commented May 24, 2024
edited
Loading

The changes are separated now:

@antongolub antongolub requested a review from wraithgar May 24, 2024 07:08
wraithgar pushed a commit that referenced this pull request May 24, 2024
@antongolub
fix: prevent directory.man referencing outside the package root (#104)
3968292 
## What / Why
The current `directories.man` handler allows to reach assets outside the
package scope.
```js
// expand directories.man
  if (steps.includes('mans') && !data.man && data.directories?.man) {
    const manDir = data.directories.man
    const cwd = path.resolve(pkg.path, manDir)
    const files = await lazyLoadGlob()('**/*.[0-9]', { cwd })
    data.man = files.map(man =>
      path.relative(pkg.path, path.join(cwd, man)).split(path.sep).join('/')
    )
```
```js
path.resolve(process.cwd(), '/') → '/' system root
```

## References
* continues npm/read-package-json#177
* relates #100
@wraithgar
Copy link
Copy Markdown
Contributor

wraithgar commented May 24, 2024

This will need a rebase because of #104 landing

@antongolub
Copy link
Copy Markdown
Contributor Author

antongolub commented May 24, 2024

ref.replace(/\\|:/g, '/') is a common snippet, so I separated it into a function. If necessary, I can add another pull request to replace all similar statements with the helper.

@wraithgar
Copy link
Copy Markdown
Contributor

wraithgar commented May 24, 2024

If necessary, I can add another pull request to replace all similar statements with the helper.

Please do. I can land this PR now instead of waiting on that.

@wraithgar
Copy link
Copy Markdown
Contributor

wraithgar commented May 24, 2024

I wonder how much overlap there truly is between the bin and man normalization. I see that the bin normalization removes entries that reference nonexistent files while man doesn't.

If there's a 1:1 overlap would it be possible to pass bin or man to a shared function? If there are even one or two things that don't overlap that may be more work than it's worth but for things like this sharing code definitely helps, as your PRs this week have shown.

@wraithgar wraithgar merged commit c87260a into npm:main May 24, 2024
@wraithgar
Copy link
Copy Markdown
Contributor

wraithgar commented May 24, 2024

Also another small note about process. You don't need to @ the cli team for these. We have a codeowners file set up which automatically notifies us that a PR needs review when it's made.

@wraithgar
Copy link
Copy Markdown
Contributor

wraithgar commented May 24, 2024

Ah fiddlesticks I merged w/ an invalid prefix. I'll have to edit main now so heads up.

wraithgar pushed a commit that referenced this pull request May 24, 2024
@antongolub @wraithgar
fix: add normalizePackageMan helper (#100)
59b8ccf 
Aligns normalization logic with `directories.bin`

See also:
https://github.com/npm/normalize-package-data/blob/main/lib/fixer.js#L105
```js
  fixManField: function (data) {
    if (!data.man) {
      return
    }
    if (typeof data.man === 'string') {
      data.man = [data.man]
    }
  },
```

* continues npm/read-package-json#177
* relates #104

CC @wraithgar
@github-actions github-actions Bot mentioned this pull request May 24, 2024
Merged
wraithgar pushed a commit that referenced this pull request May 24, 2024
@antongolub @wraithgar
fix: add normalizePackageMan helper (#100)
46c563b 
Aligns normalization logic with `directories.bin`

See also:
https://github.com/npm/normalize-package-data/blob/main/lib/fixer.js#L105
```js
  fixManField: function (data) {
    if (!data.man) {
      return
    }
    if (typeof data.man === 'string') {
      data.man = [data.man]
    }
  },
```

* continues npm/read-package-json#177
* relates #104

CC @wraithgar
@wraithgar
Copy link
Copy Markdown
Contributor

wraithgar commented May 24, 2024

ok @antongolub the main branch is done being rewritten, if you git fetch now a PR made won't collide w/ the edited history.

@antongolub antongolub mentioned this pull request May 24, 2024
Merged
wraithgar pushed a commit that referenced this pull request May 28, 2024
@antongolub
fix: apply securePath to package bin (#105)
54756d2 
## What / Why

* Aligns path normalization logic when processing `bin` and `man` refs.
* Fixes out of scope path traversals for `bin`

```js
function unixifyPath (ref) {
  return ref.replace(/\\|:/g, '/')
}

function securePath (ref) {
  const secured = path.join('.', path.join('/', unixifyPath(ref)))
  return secured.startsWith('.') ? '' : secured
}

function secureAndUnixifyPath (ref) {
  return unixifyPath(securePath(ref))
}
```

## References
continues
[#100](#100 (comment)),
#104
wraithgar pushed a commit that referenced this pull request May 29, 2024
@github-actions
chore: release 5.1.1 (#103)
e6c2bdd 
🤖 I have created a release *beep* *boop*
---


## [5.1.1](v5.1.0...v5.1.1)
(2024-05-28)

### Bug Fixes

*
[`54756d2`](54756d2)
[#105](#105) apply `securePath`
to package bin (#105) (@antongolub)
*
[`46c563b`](46c563b)
add `normalizePackageMan` helper (#100) (@antongolub)
*
[`a974274`](a974274)
prevent `directory.man` referencing outside the package root (#104)
(@antongolub)
*
[`191b521`](191b521)
[#102](#102) invalid scripts
warning fixed for undefined scripts (#102) (@milaninfy)

### Chores

*
[`45a2937`](45a2937)
[#98](#98) bump
@npmcli/template-oss to 4.22.0 (@lukekarrys)
*
[`90863c1`](90863c1)
[#98](#98) postinstall for
dependabot template-oss PR (@lukekarrys)

---
This PR was generated with [Release
Please](https://github.com/googleapis/release-please). See
[documentation](https://github.com/googleapis/release-please#release-please).

Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@wraithgar wraithgar wraithgar approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@antongolub @wraithgar