Skip to content

Package's name is not sanitized/escaped #127

New issue
New issue
Closed
Bug
#128
Closed
Package's name is not sanitized/escaped#127
Bug
#128
Assignees
mani3xis
Labels
Apple 🍎Anything related to the Apple platform (iOS, macOS, Cocoapods, Xcode, XCFrameworks, etc.)invalidThis doesn't seem right
@mani3xis

Description

@mani3xis
mani3xis
opened on Jun 17, 2025

The package.json's name field can be scoped (e.g. @callstack) and can contain a / character. As this is user-controlled input, it needs to be escaped, so that it's not used as path separator. Currently, this is not sanitized and passed directly into (basically) system calls. The directories that are created during "auto linking" contain the @ in their name (which is a legal character for a file and directory name on both Windows and POSIX). However, the / is also not escaped which causes issues while building.

Here's a snippet of the getLibraryName() function from path-utils.ts (from here):

export function getLibraryName(modulePath: string, naming: NamingStrategy) {
  const { packageName, relativePath } = determineModuleContext(modulePath);
  return naming.stripPathSuffix
    ? packageName
    : `${packageName}--${escapePath(relativePath)}`;
}

This issue can also be exploited, as nothing stops "an attacker" to create a package, whose name starts with @rpath/... or @executable_path/ just to name a few.

Metadata

Metadata

Assignees

Labels

Apple 🍎Anything related to the Apple platform (iOS, macOS, Cocoapods, Xcode, XCFrameworks, etc.)invalidThis doesn't seem right

Type

Bug

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions