@dynamic-labs/react-native-extension 4.91.6 → 4.92.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/index.cjs +15 -1
  2. package/index.js +15 -1
  3. package/package.json +6 -6
package/index.cjs CHANGED
@@ -35,7 +35,7 @@ function _interopNamespace(e) {
35
35
  return Object.freeze(n);
36
36
  }
37
37
 
38
- var version = "4.91.6";
38
+ var version = "4.92.1";
39
39
 
40
40
  function _extends() {
41
41
  return _extends = Object.assign ? Object.assign.bind() : function (n) {
@@ -1335,6 +1335,20 @@ const setupPlatformHandler = core => {
1335
1335
  fileName,
1336
1336
  mimeType
1337
1337
  }) {
1338
+ /**
1339
+ * Sanitize the caller-provided fileName to prevent path traversal
1340
+ * (CWE-22). The fileName is used to build a path inside the app cache
1341
+ * directory, so a value containing path separators or `..` segments
1342
+ * could escape the cache directory and delete/overwrite arbitrary files
1343
+ * in the app sandbox. Reject anything that is not a plain basename:
1344
+ * empty, `.`/`..`, or containing `/` or `\` (any `..` segment within a
1345
+ * path is caught by the separator checks). Reducing to the basename here
1346
+ * would silently write attacker-chosen data under a different name, so we
1347
+ * reject instead.
1348
+ */
1349
+ if (!fileName || fileName === '.' || fileName === '..' || fileName.includes('/') || fileName.includes('\\')) {
1350
+ throw new Error(`Invalid fileName: ${fileName}`);
1351
+ }
1338
1352
  /**
1339
1353
  * Because this is an iOS and Android only package, we need to import
1340
1354
  * dynamically to avoid react-native-web build errors.
package/index.js CHANGED
@@ -13,7 +13,7 @@ import { createURL, getInitialURL, addEventListener, openURL } from 'expo-linkin
13
13
  import { openAuthSessionAsync } from 'expo-web-browser';
14
14
  import { createPasskey, PasskeyStamper } from '@turnkey/react-native-passkey-stamper';
15
15
 
16
- var version = "4.91.6";
16
+ var version = "4.92.1";
17
17
 
18
18
  function _extends() {
19
19
  return _extends = Object.assign ? Object.assign.bind() : function (n) {
@@ -1313,6 +1313,20 @@ const setupPlatformHandler = core => {
1313
1313
  fileName,
1314
1314
  mimeType
1315
1315
  }) {
1316
+ /**
1317
+ * Sanitize the caller-provided fileName to prevent path traversal
1318
+ * (CWE-22). The fileName is used to build a path inside the app cache
1319
+ * directory, so a value containing path separators or `..` segments
1320
+ * could escape the cache directory and delete/overwrite arbitrary files
1321
+ * in the app sandbox. Reject anything that is not a plain basename:
1322
+ * empty, `.`/`..`, or containing `/` or `\` (any `..` segment within a
1323
+ * path is caught by the separator checks). Reducing to the basename here
1324
+ * would silently write attacker-chosen data under a different name, so we
1325
+ * reject instead.
1326
+ */
1327
+ if (!fileName || fileName === '.' || fileName === '..' || fileName.includes('/') || fileName.includes('\\')) {
1328
+ throw new Error(`Invalid fileName: ${fileName}`);
1329
+ }
1316
1330
  /**
1317
1331
  * Because this is an iOS and Android only package, we need to import
1318
1332
  * dynamically to avoid react-native-web build errors.
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@dynamic-labs/react-native-extension",
3
- "version": "4.91.6",
3
+ "version": "4.92.1",
4
4
  "main": "./index.cjs",
5
5
  "module": "./index.js",
6
6
  "types": "./src/index.d.ts",
@@ -18,11 +18,11 @@
18
18
  "@turnkey/react-native-passkey-stamper": "1.2.7",
19
19
  "@react-native-documents/picker": "^11.0.0",
20
20
  "react-native-fs": ">=2.20.0",
21
- "@dynamic-labs/assert-package-version": "4.91.6",
22
- "@dynamic-labs/client": "4.91.6",
23
- "@dynamic-labs/logger": "4.91.6",
24
- "@dynamic-labs/message-transport": "4.91.6",
25
- "@dynamic-labs/webview-messages": "4.91.6"
21
+ "@dynamic-labs/assert-package-version": "4.92.1",
22
+ "@dynamic-labs/client": "4.92.1",
23
+ "@dynamic-labs/logger": "4.92.1",
24
+ "@dynamic-labs/message-transport": "4.92.1",
25
+ "@dynamic-labs/webview-messages": "4.92.1"
26
26
  },
27
27
  "peerDependencies": {
28
28
  "react": ">=18.0.0 <20.0.0",