Fix bundling assets with a path outside of the project root

packages/cli/src/commands/bundle/__tests__/getAssetDestPathAndroid-test.ts

@@ -70,4 +70,16 @@ describe('getAssetDestPathAndroid', () => {
       path.normalize('raw/app_test_video.mp4'),
     );
   });
+
+  it('should handle assets with a relative path outside of root', () => {
+    const asset = {
+      name: 'icon',
+      type: 'png',
+      httpServerLocation: '/assets/../../test',
+    };
+
+    expect(getAssetDestPathAndroid(asset, 1)).toBe(
+      path.normalize('drawable-mdpi/__test_icon.png'),
+    );
+  });
 });

packages/cli/src/commands/bundle/__tests__/getAssetDestPathIOS-test.ts

@@ -41,4 +41,16 @@ describe('getAssetDestPathIOS', () => {
       path.normalize('assets/test/icon@3x.png'),
     );
   });
+
+  it('should handle assets with a relative path outside of root', () => {
+    const asset = {
+      name: 'icon',
+      type: 'png',
+      httpServerLocation: '/assets/../../test',
+    };
+
+    expect(getAssetDestPathIOS(asset, 1)).toBe(
+      path.normalize('assets/__test/icon.png'),
+    );
+  });
 });

packages/cli/src/commands/bundle/getAssetDestPathIOS.ts

@@ -12,7 +12,13 @@ import {PackagerAsset} from './assetPathUtils';
 function getAssetDestPathIOS(asset: PackagerAsset, scale: number): string {
   const suffix = scale === 1 ? '' : `@${scale}x`;
   const fileName = `${asset.name + suffix}.${asset.type}`;
-  return path.join(asset.httpServerLocation.substr(1), fileName);
+  return path.join(
+    // Assets can have relative paths outside of the project root.
+    // Replace `../` with `_` to make sure they don't end up outside of
+    // the expected assets directory.
+    asset.httpServerLocation.substr(1).replace(/\.\.\//g, '_'),
+    fileName,
+  );
 }
 
 export default getAssetDestPathIOS;