From d62cf31387ecfdb674d7792e2c08f020f4d27df1 Mon Sep 17 00:00:00 2001 From: O F Date: Mon, 12 Feb 2024 13:33:44 -0800 Subject: [PATCH 1/2] feat: add BROWSERSLIST_ROOT_PATH - check that loc is inside BROWSERSLIST_ROOT_PATH in eachParent - add tests - update Readme --- README.md | 6 ++++++ index.d.ts | 1 + node.js | 10 ++++++++++ test/config.test.js | 12 ++++++++++++ test/main.test.js | 1 + 5 files changed, 30 insertions(+) diff --git a/README.md b/README.md index e5c7912e..dcf61aeb 100644 --- a/README.md +++ b/README.md @@ -683,6 +683,12 @@ with [environment variables]: BROWSERSLIST_DANGEROUS_EXTEND=1 npx webpack ``` +* `BROWSERSLIST_ROOT_PATH` to prevent reading files above this path. + + ```sh + BROWSERSLIST_ROOT_PATH=. npx webpack + ``` + [environment variables]: https://en.wikipedia.org/wiki/Environment_variable diff --git a/index.d.ts b/index.d.ts index 7f8e7605..e47c5cfe 100644 --- a/index.d.ts +++ b/index.d.ts @@ -193,6 +193,7 @@ declare global { BROWSERSLIST_ENV?: string BROWSERSLIST_IGNORE_OLD_DATA?: string BROWSERSLIST_STATS?: string + BROWSERSLIST_ROOT_PATH?: string } } } diff --git a/node.js b/node.js index ab3124cb..d8984b5b 100644 --- a/node.js +++ b/node.js @@ -50,12 +50,22 @@ function eachParent(file, callback) { var dir = isFile(file) ? path.dirname(file) : file var loc = path.resolve(dir) do { + if (!pathInRoot(loc)) break; var result = callback(loc) if (typeof result !== 'undefined') return result } while (loc !== (loc = path.dirname(loc))) return undefined } +function pathInRoot(p) { + if (!process.env.BROWSERSLIST_ROOT_PATH) return true + var root_path = path.resolve(process.env.BROWSERSLIST_ROOT_PATH); + if (path.relative(root_path, p).startsWith('..')) { + return false; + } + return true +} + function check(section) { if (Array.isArray(section)) { for (var i = 0; i < section.length; i++) { diff --git a/test/config.test.js b/test/config.test.js index 9711334b..e993715a 100644 --- a/test/config.test.js +++ b/test/config.test.js @@ -120,4 +120,16 @@ test('reads config with one string', () => { equal(browserslist.findConfig(STRING), { defaults: 'ie 9, ie 8' }) }) +test('stops at ROOT', () => { + browserslist.clearCaches() + process.env.BROWSERSLIST_ROOT_PATH = join(__dirname, 'fixtures', 'dir') + equal(browserslist.findConfig(FILE), undefined) +}) + +test('allows up to ROOT', () => { + browserslist.clearCaches() + process.env.BROWSERSLIST_ROOT_PATH = join(__dirname, 'fixtures') + equal(browserslist.findConfig(FILE), { defaults: ['ie 11', 'ie 10'] }) +}) + test.run() diff --git a/test/main.test.js b/test/main.test.js index f8d136d8..2ba22205 100644 --- a/test/main.test.js +++ b/test/main.test.js @@ -21,6 +21,7 @@ test.after.each(() => { delete process.env.BROWSERSLIST delete process.env.BROWSERSLIST_CONFIG delete process.env.BROWSERSLIST_ENV + delete process.env.BROWSERSLIST_ROOT_PATH }) test('accepts array', () => { From 5d2728ad5f3a90512ca2f8a559085b6927b89684 Mon Sep 17 00:00:00 2001 From: O F Date: Mon, 12 Feb 2024 15:49:55 -0800 Subject: [PATCH 2/2] fix linter errors --- node.js | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/node.js b/node.js index d8984b5b..a935371d 100644 --- a/node.js +++ b/node.js @@ -59,8 +59,8 @@ function eachParent(file, callback) { function pathInRoot(p) { if (!process.env.BROWSERSLIST_ROOT_PATH) return true - var root_path = path.resolve(process.env.BROWSERSLIST_ROOT_PATH); - if (path.relative(root_path, p).startsWith('..')) { + var rootPath = path.resolve(process.env.BROWSERSLIST_ROOT_PATH); + if (path.relative(rootPath, p).substring(0,2) === '..') { return false; } return true