From 005f7f8430411e5c678db0835c92cf67f038360b Mon Sep 17 00:00:00 2001
From: Andrew Finlay <andrewf@blackmagicdesign.com>
Date: Tue, 12 Mar 2019 09:46:21 +1100
Subject: [PATCH] Ensure 'rimraf' can only remove subdirectories of the cwd

---
 lib/commands/instrument.js |  3 ++-
 test/nyc-integration.js    | 20 ++++++++++++++++++++
 2 files changed, 22 insertions(+), 1 deletion(-)

diff --git a/lib/commands/instrument.js b/lib/commands/instrument.js
index 9fdf59e58..9e255a757 100644
--- a/lib/commands/instrument.js
+++ b/lib/commands/instrument.js
@@ -80,7 +80,8 @@ exports.handler = function (argv) {
   })
 
   if (argv.delete && argv.output && argv.output.length !== 0) {
-    if (path.relative(process.cwd(), path.resolve(argv.output)) !== '') {
+    const relPath = path.relative(process.cwd(), path.resolve(argv.output))
+    if (relPath !== '' && !relPath.startsWith('..')) {
       rimraf.sync(argv.output)
     } else {
       console.error(`nyc instrument failed: attempt to delete '${process.cwd()}'`)
diff --git a/test/nyc-integration.js b/test/nyc-integration.js
index 4d3d11a58..a34bbdbc8 100644
--- a/test/nyc-integration.js
+++ b/test/nyc-integration.js
@@ -784,6 +784,26 @@ describe('the nyc cli', function () {
             done()
           })
         })
+
+        it('aborts if trying to clean outside working directory', function (done) {
+          const args = [bin, 'instrument', '--delete', './', '../']
+
+          const proc = spawn(process.execPath, args, {
+            cwd: fixturesCLI,
+            env: env
+          })
+
+          let stderr = ''
+          proc.stderr.on('data', function (chunk) {
+            stderr += chunk
+          })
+
+          proc.on('close', function (code) {
+            code.should.equal(1)
+            stderr.should.include('nyc instrument failed: attempt to delete')
+            done()
+          })
+        })
       })
     })
   })