fix: path traversal on windows

j4k0xb · Aug 14, 2024 · 4bc5c6f · 4bc5c6f
1 parent 73d8afb
commit 4bc5c6f
Show file tree

Hide file tree

Showing 4 changed files with 47 additions and 6 deletions.
diff --git a/packages/webcrack/src/unpack/bundle.ts b/packages/webcrack/src/unpack/bundle.ts
@@ -1,11 +1,8 @@
 import traverse from '@babel/traverse';
 import type * as m from '@codemod/matchers';
-import { posix } from 'node:path';
+import { dirname, join, normalize } from 'node:path';
 import type { Module } from './module';
 
-// eslint-disable-next-line @typescript-eslint/unbound-method
-const { dirname, join, normalize } = posix;
-
 export class Bundle {
   type: 'webpack' | 'browserify';
   entryId: string;

diff --git a/packages/webcrack/src/unpack/test/samples/webpack-path-traversal-windows.js b/packages/webcrack/src/unpack/test/samples/webpack-path-traversal-windows.js
@@ -0,0 +1,20 @@
+(function (e) {
+  var n = {};
+  function o(r) {
+    if (n[r]) {
+      return n[r].exports;
+    }
+    var a = (n[r] = {
+      i: r,
+      l: false,
+      exports: {},
+    });
+    e[r].call(a.exports, a, a.exports, o);
+    a.l = true;
+    return a.exports;
+  }
+  o.p = '';
+  o((o.s = 386));
+})({
+  './\\..\\node_modules\\debug\\src\\index': function (e, t, n) {},
+});
diff --git a/packages/webcrack/src/unpack/test/samples/webpack-path-traversal-windows.js.snap b/packages/webcrack/src/unpack/test/samples/webpack-path-traversal-windows.js.snap
@@ -0,0 +1,12 @@
+WebpackBundle {
+  "entryId": "386",
+  "modules": Map {
+    "./\..\node_modules\debug\src\index" => WebpackModule {
+      "ast": ,
+      "id": "./\..\node_modules\debug\src\index",
+      "isEntry": false,
+      "path": "././\..\node_modules\debug\src\index.js",
+    },
+  },
+  "type": "webpack",
+}
diff --git a/packages/webcrack/src/unpack/test/unpack.test.ts b/packages/webcrack/src/unpack/test/unpack.test.ts
@@ -1,7 +1,7 @@
 import * as m from '@codemod/matchers';
 import { readFile } from 'fs/promises';
 import { tmpdir } from 'os';
-import { join } from 'path';
+import { join, sep } from 'path';
 import { expect, test } from 'vitest';
 import { unpack } from '../index';
 
@@ -26,7 +26,7 @@ test('path mapping', async () => {
   expect(bundle!).toMatchSnapshot();
 });
 
-test('prevent path traversal', async () => {
+test.runIf(sep === '/')('prevent path traversal (posix)', async () => {
   const code = await readFile(
     join(SAMPLES_DIR, 'webpack-path-traversal.js'),
     'utf8',
@@ -37,3 +37,15 @@ test('prevent path traversal', async () => {
   const dir = join(tmpdir(), 'path-traversal-test');
   await expect(bundle!.save(dir)).rejects.toThrow('path traversal');
 });
+
+test.runIf(sep === '\\')('prevent path traversal (windows)', async () => {
+  const code = await readFile(
+    join(SAMPLES_DIR, 'webpack-path-traversal-windows.js'),
+    'utf8',
+  );
+  const bundle = unpack(code);
+  expect(bundle).toBeDefined();
+
+  const dir = join(tmpdir(), 'path-traversal-test');
+  await expect(bundle!.save(dir)).rejects.toThrow('path traversal');
+});