(filename)
| 51 | } |
| 52 | |
| 53 | isPathAllowed(filename) { |
| 54 | if (this.rootPaths === undefined) return true; |
| 55 | // SECURITY: Dereference symlinks before the prefix check. The lexical |
| 56 | // resolve() does not follow symlinks but Node's native require() does, |
| 57 | // so a symlink inside the root pointing outside it would otherwise |
| 58 | // bypass the boundary. Deny by default if the path can't be canonicalized |
| 59 | // (missing file, broken link, or fs without realpath). GHSA-cp6g-6699-wx9c. |
| 60 | let realFilename; |
| 61 | try { |
| 62 | realFilename = this.fs.realpath(filename); |
| 63 | } catch (e) { |
| 64 | return false; |
| 65 | } |
| 66 | return this.rootPaths.some(path => { |
| 67 | if (!realFilename.startsWith(path)) return false; |
| 68 | const len = path.length; |
| 69 | if (realFilename.length === len || (len > 0 && this.fs.isSeparator(path[len-1]))) return true; |
| 70 | return this.fs.isSeparator(realFilename[len]); |
| 71 | }); |
| 72 | } |
| 73 | |
| 74 | loadJS(vm, mod, filename) { |
| 75 | if (this.pathContext(filename, 'js') !== 'host') return super.loadJS(vm, mod, filename); |
no test coverage detected