Ensure 'rimraf' can only remove subdirectories of the cwd

istanbuljs · Mar 11, 2019 · 005f7f8 · 005f7f8
1 parent ec80cb3
commit 005f7f8
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 1 deletion.
diff --git a/lib/commands/instrument.js b/lib/commands/instrument.js
@@ -80,7 +80,8 @@ exports.handler = function (argv) {
   })
 
   if (argv.delete && argv.output && argv.output.length !== 0) {
-    if (path.relative(process.cwd(), path.resolve(argv.output)) !== '') {
+    const relPath = path.relative(process.cwd(), path.resolve(argv.output))
+    if (relPath !== '' && !relPath.startsWith('..')) {
       rimraf.sync(argv.output)
     } else {
       console.error(`nyc instrument failed: attempt to delete '${process.cwd()}'`)

diff --git a/test/nyc-integration.js b/test/nyc-integration.js
@@ -784,6 +784,26 @@ describe('the nyc cli', function () {
             done()
           })
         })
+
+        it('aborts if trying to clean outside working directory', function (done) {
+          const args = [bin, 'instrument', '--delete', './', '../']
+
+          const proc = spawn(process.execPath, args, {
+            cwd: fixturesCLI,
+            env: env
+          })
+
+          let stderr = ''
+          proc.stderr.on('data', function (chunk) {
+            stderr += chunk
+          })
+
+          proc.on('close', function (code) {
+            code.should.equal(1)
+            stderr.should.include('nyc instrument failed: attempt to delete')
+            done()
+          })
+        })
       })
     })
   })