-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbackstagePath.ts
69 lines (61 loc) · 2.24 KB
/
backstagePath.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
/*
* Copyright 2021 The Backstage Authors
*
* Licensed under the Apache License, Version 2.0 (the "License");
* you may not use this file except in compliance with the License.
* You may obtain a copy of the License at
*
* http://www.apache.org/licenses/LICENSE-2.0
*
* Unless required by applicable law or agreed to in writing, software
* distributed under the License is distributed on an "AS IS" BASIS,
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
* See the License for the specific language governing permissions and
* limitations under the License.
*/
import { relative, resolve, isAbsolute } from "path";
import { realpathSync } from "fs";
/**
* Checks if path is the same as or a child path of base.
*
* @public
*/
export function isChildPath(base: string, path: string): boolean {
const relativePath = relative(base, path);
if (relativePath === "") {
// The same directory
return true;
}
const outsideBase = relativePath.startsWith(".."); // not outside base
const differentDrive = isAbsolute(relativePath); // on Windows, this means dir is on a different drive from base.
return !outsideBase && !differentDrive;
}
/**
* Resolves a target path from a base path while guaranteeing that the result is
* a path that point to or within the base path. This is useful for resolving
* paths from user input, as it otherwise opens up for vulnerabilities.
*
* @public
* @param base - The base directory to resolve the path from.
* @param path - The target path, relative or absolute
* @returns A path that is guaranteed to point to or within the base path.
*/
export function resolveSafeChildPath(base: string, path: string): string {
const resolvedBasePath = resolveRealPath(base);
const targetPath = resolve(resolvedBasePath, path);
if (!isChildPath(resolvedBasePath, resolveRealPath(targetPath))) {
throw new Error("Relative path is not allowed to refer to a directory outside its parent");
}
// Don't return the resolved path as the original could be a symlink
return resolve(base, path);
}
function resolveRealPath(path: string): string {
try {
return realpathSync(path);
} catch (error: any) {
if (error.code !== "ENOENT") {
throw error;
}
}
return path;
}