Protect against bad project names

pragdave · Jul 17, 2018 · f558977 · f558977
1 parent 6205338
commit f558977
Show file tree

Hide file tree

Showing 2 changed files with 17 additions and 7 deletions.
diff --git a/lib/mix_templates/cache.ex b/lib/mix_templates/cache.ex
@@ -40,16 +40,17 @@ defmodule MixTemplates.Cache do
   """
 
   def install_from_local_tree(source) do
-    if is_template?(source) do
-      module = load_template_module(source)
-      name   = module.name
-      target = template_path(name)
-      File.rm_rf!(target)
+    with true <- is_template?(source),
+         module <- load_template_module(source),
+         name <- module.name,
+         false <- name |> to_string() |> name_is_path?(),
+         target <- template_path(name) do
+      if File.dir?(target), do: File.rm_rf!(target)
       File.mkdir_p!(target)
       File.cp_r!(source, target)
       { :ok, name }
     else
-      { :error, "“#{source}” does not contain a valid template" }
+      _ -> { :error, "“#{source}” does not contain a valid template" }
     end
   end
 
@@ -247,6 +248,9 @@ defmodule MixTemplates.Cache do
     defp error(message) do
       Mix.shell.info([ :red, "ERROR: ", :reset, message ])
     end
+
+    def name_is_path?("/" <> _), do: true
+    def name_is_path?(name), do: Path.absname(name) != Path.expand(name)
   end
 
 
@@ -264,5 +268,4 @@ defmodule MixTemplates.Cache do
   end
 
 
-
 end
diff --git a/test/templates_test.exs b/test/templates_test.exs
@@ -112,4 +112,11 @@ defmodule TemplatesTest do
 
     File.rm_rf!(dest)
    end
+
+   test "Cache.name_is_path?/1 catches projects named as paths" do
+     assert Cache.name_is_path?("../../.")
+     assert Cache.name_is_path?("/")
+     assert Cache.name_is_path?("/home")
+     assert not Cache.name_is_path?("my_template_project")
+   end
 end