Skip to content

Commit

Permalink
fix(util): strip special and control characters from app.name (#1259)
Browse files Browse the repository at this point in the history 
* This mitigates potential path traversal.

Fixes: #1258

---------

Co-authored-by: Ayushman Chhabra <14110965+ayushmanchhabra@users.noreply.github.com>
  • Loading branch information
@Black-Platypus @ayushmanchhabra
Black-Platypus and ayushmanchhabra authored Oct 9, 2024
1 parent 9bfe70f commit b035bc3
Show file tree
Hide file tree
Showing 2 changed files with 3 additions and 0 deletions.
1 change: 1 addition & 0 deletions eslint.config.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,6 +13,7 @@ export default [
jsdoc.configs['flat/recommended'],
{
rules: {
"no-control-regex": ["off"],
"semi": ["error", "always"],
"quotes": ["error", "single"],
}
Expand Down
2 changes: 2 additions & 0 deletions src/util.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -202,6 +202,8 @@ export const parse = async (options, pkg) => {

options.app = options.app ?? {};
options.app.name = options.app.name ?? pkg.name;
/* Remove special and control characters from app.name to mitigate potential path traversal. */
options.app.name = options.app.name.replace(/[<>:"/\\|?*\u0000-\u001F]/g, '');
options.app.icon = options.app.icon ?? undefined;

// TODO(#737): move this out
Expand Down

0 comments on commit b035bc3

Please sign in to comment.