(path: string)
| 289 | let roots = initialRoots; |
| 290 | |
| 291 | function checkPath(path: string) { |
| 292 | const resolvedPath = resolve(path); |
| 293 | let realPath: string; |
| 294 | try { |
| 295 | realPath = realpathSync(resolvedPath); |
| 296 | } catch (e) { |
| 297 | if ((e as Error & { code?: string }).code === 'ENOENT') { |
| 298 | // Path does not exist. Find the first existing ancestor. |
| 299 | let current = resolvedPath; |
| 300 | while (current) { |
| 301 | try { |
| 302 | realPath = realpathSync(current); |
| 303 | break; |
| 304 | } catch (err) { |
| 305 | if ((err as Error & { code?: string }).code !== 'ENOENT') { |
| 306 | throw err; |
| 307 | } |
| 308 | const parent = dirname(current); |
| 309 | if (parent === current) { |
| 310 | // Reached filesystem root |
| 311 | throw err; |
| 312 | } |
| 313 | current = parent; |
| 314 | } |
| 315 | } |
| 316 | } else { |
| 317 | throw e; |
| 318 | } |
| 319 | } |
| 320 | |
| 321 | const isAllowed = roots.some((root) => { |
| 322 | const rel = relative(root, realPath); |
| 323 | |
| 324 | return !rel.startsWith('..') && !isAbsolute(rel); |
| 325 | }); |
| 326 | |
| 327 | if (!isAllowed) { |
| 328 | throw new Error(`Access denied: path '${path}' is outside allowed roots.`); |
| 329 | } |
| 330 | } |
| 331 | |
| 332 | return { |
| 333 | ...baseHost, |
no test coverage detected