You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@cordova.apache.org by ra...@apache.org on 2020/07/08 21:31:28 UTC

[cordova-android] branch master updated: fix(pluginHandlers): properly check if path is inside another (#1014)

This is an automated email from the ASF dual-hosted git repository.

raphinesse pushed a commit to branch master
in repository https://gitbox.apache.org/repos/asf/cordova-android.git


The following commit(s) were added to refs/heads/master by this push:
     new 8ef8d99  fix(pluginHandlers): properly check if path is inside another (#1014)
8ef8d99 is described below

commit 8ef8d994df85e85f1d038b3b567154848be80859
Author: Raphael von der GrĂ¼n <ra...@gmail.com>
AuthorDate: Wed Jul 8 23:31:16 2020 +0200

    fix(pluginHandlers): properly check if path is inside another (#1014)
---
 bin/templates/cordova/lib/pluginHandlers.js | 5 +++--
 package-lock.json                           | 5 +++++
 package.json                                | 1 +
 spec/unit/pluginHandlers/common.spec.js     | 9 +++++++++
 4 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/bin/templates/cordova/lib/pluginHandlers.js b/bin/templates/cordova/lib/pluginHandlers.js
index 99e4bac..617c30e 100644
--- a/bin/templates/cordova/lib/pluginHandlers.js
+++ b/bin/templates/cordova/lib/pluginHandlers.js
@@ -16,6 +16,7 @@
 
 var fs = require('fs-extra');
 var path = require('path');
+var isPathInside = require('is-path-inside');
 var events = require('cordova-common').events;
 var CordovaError = require('cordova-common').CordovaError;
 
@@ -209,12 +210,12 @@ function copyFile (plugin_dir, src, project_dir, dest, link) {
     // check that src path is inside plugin directory
     var real_path = fs.realpathSync(src);
     var real_plugin_path = fs.realpathSync(plugin_dir);
-    if (real_path.indexOf(real_plugin_path) !== 0) { throw new CordovaError('File "' + src + '" is located outside the plugin directory "' + plugin_dir + '"'); }
+    if (!isPathInside(real_path, real_plugin_path)) { throw new CordovaError('File "' + src + '" is located outside the plugin directory "' + plugin_dir + '"'); }
 
     dest = path.resolve(project_dir, dest);
 
     // check that dest path is located in project directory
-    if (dest.indexOf(project_dir) !== 0) { throw new CordovaError('Destination "' + dest + '" for source file "' + src + '" is located outside the project'); }
+    if (!isPathInside(dest, project_dir)) { throw new CordovaError('Destination "' + dest + '" for source file "' + src + '" is located outside the project'); }
 
     fs.ensureDirSync(path.dirname(dest));
     if (link) {
diff --git a/package-lock.json b/package-lock.json
index 71b80f3..a14a6ff 100644
--- a/package-lock.json
+++ b/package-lock.json
@@ -1807,6 +1807,11 @@
       "resolved": "https://registry.npmjs.org/is-number/-/is-number-7.0.0.tgz",
       "integrity": "sha512-41Cifkg6e8TylSpdtTpeLVMqvSBEVzTttHvERD741+pnZ8ANv0004MRL43QKPDlK9cGvNp6NZWZUBlbGXYxxng=="
     },
+    "is-path-inside": {
+      "version": "3.0.2",
+      "resolved": "https://registry.npmjs.org/is-path-inside/-/is-path-inside-3.0.2.tgz",
+      "integrity": "sha512-/2UGPSgmtqwo1ktx8NDHjuPwZWmHhO+gj0f93EkhLB5RgW9RZevWYYlIkS6zePc6U2WpOdQYIwHe9YC4DWEBVg=="
+    },
     "is-promise": {
       "version": "2.1.0",
       "resolved": "https://registry.npmjs.org/is-promise/-/is-promise-2.1.0.tgz",
diff --git a/package.json b/package.json
index 324ba79..0a93cfc 100644
--- a/package.json
+++ b/package.json
@@ -29,6 +29,7 @@
     "cordova-common": "^4.0.1",
     "execa": "^4.0.2",
     "fs-extra": "^9.0.1",
+    "is-path-inside": "^3.0.2",
     "nopt": "^4.0.3",
     "properties-parser": "^0.3.1",
     "which": "^2.0.2"
diff --git a/spec/unit/pluginHandlers/common.spec.js b/spec/unit/pluginHandlers/common.spec.js
index b40895e..67ca6bf 100644
--- a/spec/unit/pluginHandlers/common.spec.js
+++ b/spec/unit/pluginHandlers/common.spec.js
@@ -108,6 +108,15 @@ describe('common platform handler', function () {
             expect(s).toHaveBeenCalled();
             expect(s).toHaveBeenCalledWith(java_file, resolvedDest);
         });
+
+        it('should handle relative paths when checking for sub paths', () => {
+            fs.outputFileSync(java_file, 'contents');
+            const relativeProjectPath = path.relative(process.cwd(), project_dir);
+
+            expect(() => {
+                copyFile(test_dir, java_file, relativeProjectPath, dest);
+            }).not.toThrow();
+        });
     });
 
     describe('copyNewFile', function () {


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@cordova.apache.org
For additional commands, e-mail: commits-help@cordova.apache.org