@mintlify/cli 4.0.901 → 4.0.902

package/__test__/init.test.ts

@@ -0,0 +1,82 @@
+import { init } from '../src/init.js';
+
+vi.mock('@inquirer/prompts', () => ({
+  select: vi.fn(),
+  input: vi.fn(),
+}));
+
+vi.mock('@mintlify/previewing', () => ({
+  addLogs: vi.fn(),
+  addLog: vi.fn(),
+  SpinnerLog: vi.fn(),
+  removeLastLog: vi.fn(),
+}));
+
+vi.mock('@mintlify/validation', () => ({
+  docsConfigSchema: {
+    options: [{ shape: { theme: { _def: { value: 'quill' } } } }],
+  },
+}));
+
+vi.mock('fs-extra', () => ({
+  default: {
+    readdir: vi.fn().mockResolvedValue([]),
+    ensureDir: vi.fn().mockResolvedValue(undefined),
+    writeFile: vi.fn().mockResolvedValue(undefined),
+    copy: vi.fn().mockResolvedValue(undefined),
+    remove: vi.fn().mockResolvedValue(undefined),
+    readJson: vi.fn().mockResolvedValue({ theme: 'quill', name: 'Test' }),
+    writeJson: vi.fn().mockResolvedValue(undefined),
+  },
+}));
+
+vi.mock('adm-zip', () => ({
+  default: vi.fn().mockImplementation(() => ({
+    extractAllTo: vi.fn(),
+  })),
+}));
+
+global.fetch = vi.fn().mockResolvedValue({
+  arrayBuffer: () => Promise.resolve(new ArrayBuffer(0)),
+});
+
+describe('init', () => {
+  beforeEach(() => {
+    vi.clearAllMocks();
+  });
+
+  describe('path traversal prevention', () => {
+    it('rejects path traversal with ../', async () => {
+      await expect(init('../outside', false, 'quill', 'Test')).rejects.toThrow(
+        'Access denied: path "../outside" is outside the current directory'
+      );
+    });
+
+    it('rejects deep path traversal', async () => {
+      await expect(init('../../../etc', false, 'quill', 'Test')).rejects.toThrow(
+        'Access denied: path "../../../etc" is outside the current directory'
+      );
+    });
+
+    it('rejects absolute paths outside cwd', async () => {
+      await expect(init('/etc/test', false, 'quill', 'Test')).rejects.toThrow(
+        'Access denied: path "/etc/test" is outside the current directory'
+      );
+    });
+
+    it('allows current directory (.)', async () => {
+      // Should not throw for current directory
+      await expect(init('.', false, 'quill', 'Test')).resolves.not.toThrow();
+    });
+
+    it('allows subdirectory paths', async () => {
+      // Should not throw for subdirectory
+      await expect(init('docs', false, 'quill', 'Test')).resolves.not.toThrow();
+    });
+
+    it('allows nested subdirectory paths', async () => {
+      // Should not throw for nested subdirectory
+      await expect(init('docs/api', false, 'quill', 'Test')).resolves.not.toThrow();
+    });
+  });
+});

package/__test__/openApiCheck.test.ts

@@ -125,3 +125,20 @@ describe('openApiCheck', () => {
     expect(processExitMock).toHaveBeenCalledWith(1);
   });
 });
+
+describe('readLocalOpenApiFile', () => {
+  it('rejects path traversal attempts', async () => {
+    const { readLocalOpenApiFile } =
+      await vi.importActual<typeof import('../src/helpers.js')>('../src/helpers.js');
+
+    await expect(readLocalOpenApiFile('../etc/passwd')).rejects.toThrow(
+      'Access denied: invalid path'
+    );
+    await expect(readLocalOpenApiFile('/etc/passwd')).rejects.toThrow(
+      'Access denied: invalid path'
+    );
+    await expect(readLocalOpenApiFile('../../secret.yaml')).rejects.toThrow(
+      'Access denied: invalid path'
+    );
+  });
+});

package/bin/helpers.js

@@ -143,8 +143,14 @@ export const suppressConsoleWarnings = () => {
     };
 };
 export const readLocalOpenApiFile = (filename) => __awaiter(void 0, void 0, void 0, function* () {
-    const pathname = path.resolve(process.cwd(), filename);
-    const file = yield fs.readFile(pathname, 'utf-8');
+    const baseDir = process.cwd();
+    // const pathname = path.resolve(process.cwd(), filename);
+    const resolvedPath = path.resolve(baseDir, filename);
+    const relative = path.relative(baseDir, resolvedPath);
+    if (relative.startsWith('..') || path.isAbsolute(relative)) {
+        throw new Error('Access denied: invalid path');
+    }
+    const file = yield fs.readFile(resolvedPath, 'utf-8');
     const document = yaml.load(file);
     return document;
 });

package/bin/init.js

@@ -14,6 +14,15 @@ import { docsConfigSchema } from '@mintlify/validation';
 import AdmZip from 'adm-zip';
 import fse from 'fs-extra';
 import { Box, Text } from 'ink';
+import path from 'path';
+const validatePathWithinCwd = (inputPath) => {
+    const baseDir = process.cwd();
+    const resolvedPath = path.resolve(baseDir, inputPath);
+    const relative = path.relative(baseDir, resolvedPath);
+    if (relative.startsWith(`..${path.sep}`) || relative === '..' || path.isAbsolute(relative)) {
+        throw new Error(`Access denied: path "${inputPath}" is outside the current directory`);
+    }
+};
 const sendOnboardingMessage = (installDir) => {
     addLogs(_jsx(Text, { bold: true, children: "Documentation Setup!" }), _jsx(Text, { children: "To see your docs run" }), _jsxs(Box, { children: [_jsx(Text, { color: "blue", children: "cd" }), _jsxs(Text, { children: [" ", installDir] })] }), _jsx(Text, { color: "blue", children: "mint dev" }));
 };
@@ -22,6 +31,8 @@ const sendUsageMessageForAI = (directory, contentsOccupied, themes) => {
 };
 export function init(installDir, force, theme, name) {
     return __awaiter(this, void 0, void 0, function* () {
+        // Validate path is within current working directory to prevent path traversal
+        validatePathWithinCwd(installDir);
         const isInteractive = process.stdin.isTTY;
         const isClaudeCode = process.env.CLAUDECODE === '1';
         const isAI = !isInteractive || isClaudeCode;
@@ -62,6 +73,8 @@ export function init(installDir, force, theme, name) {
                     throw new Error('Subdirectory name cannot be empty');
                 }
                 installDir = installDir === '.' ? subdir : `${installDir}/${subdir}`;
+                // Re-validate after subdirectory is appended
+                validatePathWithinCwd(installDir);
             }
         }
         if (!isAI && (!selectedTheme || !projectName)) {