diff --git a/dist/post_run/index.js b/dist/post_run/index.js index 6adc770..2044883 100644 --- a/dist/post_run/index.js +++ b/dist/post_run/index.js @@ -29643,16 +29643,26 @@ function _generateTmpName(opts) { } /** - * Check the prefix and postfix options + * Check the prefix, postfix, and template options. + * + * Rejects non-string inputs so that a non-string `.includes('..')` cannot evade + * the substring check (e.g. an Array whose `.includes('..')` is element-wise, + * or a duck-typed object with a custom `.includes`), and so that the value is + * not later coerced to a string with traversal sequences via `Array.prototype.join` + * or `path.join`. * * @private */ -function _assertPath(path) { - if (path.includes("..")) { +function _assertPath(option, value) { + if (typeof value !== 'string') { + throw new Error(`${option} option must be a string, got "${typeof value}".`); + } + + if (value.includes("..")) { throw new Error("Relative value not allowed"); } - return path; + return value; } /** @@ -29675,8 +29685,13 @@ function _assertOptionsBase(options) { } /* istanbul ignore else */ - if (!_isUndefined(options.template) && !options.template.match(TEMPLATE_PATTERN)) { - throw new Error(`Invalid template, found "${options.template}".`); + if (!_isUndefined(options.template)) { + if (typeof options.template !== 'string') { + throw new Error(`template option must be a string, got "${typeof options.template}".`); + } + if (!options.template.match(TEMPLATE_PATTERN)) { + throw new Error(`Invalid template, found "${options.template}".`); + } } /* istanbul ignore else */ @@ -29692,9 +29707,9 @@ function _assertOptionsBase(options) { options.unsafeCleanup = !!options.unsafeCleanup; // for completeness' sake only, also keep (multiple) blanks if the user, purportedly sane, requests us to - options.prefix = _isUndefined(options.prefix) ? '' : _assertPath(options.prefix); - options.postfix = _isUndefined(options.postfix) ? '' : _assertPath(options.postfix); - options.template = _isUndefined(options.template) ? undefined : _assertPath(options.template); + options.prefix = _isUndefined(options.prefix) ? '' : _assertPath('prefix', options.prefix); + options.postfix = _isUndefined(options.postfix) ? '' : _assertPath('postfix', options.postfix); + options.template = _isUndefined(options.template) ? undefined : _assertPath('template', options.template); } /** diff --git a/dist/run/index.js b/dist/run/index.js index 97ca668..bf70a28 100644 --- a/dist/run/index.js +++ b/dist/run/index.js @@ -29643,16 +29643,26 @@ function _generateTmpName(opts) { } /** - * Check the prefix and postfix options + * Check the prefix, postfix, and template options. + * + * Rejects non-string inputs so that a non-string `.includes('..')` cannot evade + * the substring check (e.g. an Array whose `.includes('..')` is element-wise, + * or a duck-typed object with a custom `.includes`), and so that the value is + * not later coerced to a string with traversal sequences via `Array.prototype.join` + * or `path.join`. * * @private */ -function _assertPath(path) { - if (path.includes("..")) { +function _assertPath(option, value) { + if (typeof value !== 'string') { + throw new Error(`${option} option must be a string, got "${typeof value}".`); + } + + if (value.includes("..")) { throw new Error("Relative value not allowed"); } - return path; + return value; } /** @@ -29675,8 +29685,13 @@ function _assertOptionsBase(options) { } /* istanbul ignore else */ - if (!_isUndefined(options.template) && !options.template.match(TEMPLATE_PATTERN)) { - throw new Error(`Invalid template, found "${options.template}".`); + if (!_isUndefined(options.template)) { + if (typeof options.template !== 'string') { + throw new Error(`template option must be a string, got "${typeof options.template}".`); + } + if (!options.template.match(TEMPLATE_PATTERN)) { + throw new Error(`Invalid template, found "${options.template}".`); + } } /* istanbul ignore else */ @@ -29692,9 +29707,9 @@ function _assertOptionsBase(options) { options.unsafeCleanup = !!options.unsafeCleanup; // for completeness' sake only, also keep (multiple) blanks if the user, purportedly sane, requests us to - options.prefix = _isUndefined(options.prefix) ? '' : _assertPath(options.prefix); - options.postfix = _isUndefined(options.postfix) ? '' : _assertPath(options.postfix); - options.template = _isUndefined(options.template) ? undefined : _assertPath(options.template); + options.prefix = _isUndefined(options.prefix) ? '' : _assertPath('prefix', options.prefix); + options.postfix = _isUndefined(options.postfix) ? '' : _assertPath('postfix', options.postfix); + options.template = _isUndefined(options.template) ? undefined : _assertPath('template', options.template); } /** diff --git a/package-lock.json b/package-lock.json index 1c2dea2..197b4c3 100644 --- a/package-lock.json +++ b/package-lock.json @@ -20,7 +20,7 @@ "@types/semver": "^7.7.1", "@types/tmp": "^0.2.6", "@types/which": "^3.0.4", - "tmp": "^0.2.6", + "tmp": "^0.2.7", "which": "^7.0.0", "yaml": "^2.9.0" }, @@ -4038,9 +4038,9 @@ } }, "node_modules/tmp": { - "version": "0.2.6", - "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.6.tgz", - "integrity": "sha512-5sJPdPjfI5Kx+qbrDesxkglRBxW//g7hCsqspEjwkewGvBMGIKMOTKzLt1hFVJzyadba3lDUN20O9qhvbQUSTA==", + "version": "0.2.7", + "resolved": "https://registry.npmjs.org/tmp/-/tmp-0.2.7.tgz", + "integrity": "sha512-e0votIpp4Uo2AJYSzVHV6xCcawuiez3DzqDAbrTc3YxBkplN6e+dM13ZeIcZnDg/QpSuU2zfZ3rzwY8ukEnaXw==", "license": "MIT", "engines": { "node": ">=14.14" diff --git a/package.json b/package.json index 223f0c8..b079501 100644 --- a/package.json +++ b/package.json @@ -38,7 +38,7 @@ "@types/semver": "^7.7.1", "@types/tmp": "^0.2.6", "@types/which": "^3.0.4", - "tmp": "^0.2.6", + "tmp": "^0.2.7", "which": "^7.0.0", "yaml": "^2.9.0" },