From ec72e5e9e451624b765f95bc36c6ec62b2b21809 Mon Sep 17 00:00:00 2001 From: EugeniyKiyashko Date: Thu, 12 Sep 2024 14:15:22 +0400 Subject: [PATCH] Security issue: Snyk reports Path Traversal vulnerability in vectormaputils (T1250487, T1251419) --- .../js/viz/vector_map.utils/node-cmd.js | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/packages/devextreme/js/viz/vector_map.utils/node-cmd.js b/packages/devextreme/js/viz/vector_map.utils/node-cmd.js index 38e2835c09fd..91ce7157e9f2 100644 --- a/packages/devextreme/js/viz/vector_map.utils/node-cmd.js +++ b/packages/devextreme/js/viz/vector_map.utils/node-cmd.js @@ -6,6 +6,10 @@ function normalizeJsName(value) { return value.trim().replace('-', '_').replace(' ', '_'); } +function normalizePath(input) { + return path.normalize(input).replace(/[\. ]+$/, ''); +} + function processFile(file, options, callback) { var name = path.basename(file, path.extname(file)); options.info('%s: started', name); @@ -20,8 +24,14 @@ function processFile(file, options, callback) { if(!options.isJSON) { content = options.processFileContent(content, normalizeJsName(name)); } + + const baseDir = normalizePath(options.output) || path.dirname(file); + const fileName = normalizePath(options.processFileName(name + (options.isJSON ? '.json' : '.js'))) + + var outputPath = path.resolve(baseDir, fileName); + fs.writeFile( - path.resolve(options.output || path.dirname(file), options.processFileName(name + (options.isJSON ? '.json' : '.js'))), + outputPath, content, function(e) { e && options.error(' ' + e.message); callback(); @@ -33,7 +43,8 @@ function processFile(file, options, callback) { } function collectFiles(dir, done) { - var input = path.resolve(dir || ''); + var input = normalizePath(path.resolve(dir || '')); + fs.stat(input, function(e, stat) { if(e) { done(e, []);