npm-pkg-lint 3.2.2 → 3.2.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.js +15 -4
- package/dist/index.js.map +2 -2
- package/package.json +1 -1
package/dist/index.js
CHANGED
|
@@ -9013,6 +9013,7 @@ var require_unpack = __commonJS({
|
|
|
9013
9013
|
var getFlag = require_get_write_flag();
|
|
9014
9014
|
var platform = process.env.TESTING_TAR_FAKE_PLATFORM || process.platform;
|
|
9015
9015
|
var isWindows = platform === "win32";
|
|
9016
|
+
var DEFAULT_MAX_DEPTH = 1024;
|
|
9016
9017
|
var unlinkFile = (path9, cb) => {
|
|
9017
9018
|
if (!isWindows) {
|
|
9018
9019
|
return fs5.unlink(path9, cb);
|
|
@@ -9091,6 +9092,7 @@ var require_unpack = __commonJS({
|
|
|
9091
9092
|
}
|
|
9092
9093
|
this.processUid = (this.preserveOwner || this.setOwner) && process.getuid ? process.getuid() : null;
|
|
9093
9094
|
this.processGid = (this.preserveOwner || this.setOwner) && process.getgid ? process.getgid() : null;
|
|
9095
|
+
this.maxDepth = typeof opt.maxDepth === "number" ? opt.maxDepth : DEFAULT_MAX_DEPTH;
|
|
9094
9096
|
this.forceChown = opt.forceChown === true;
|
|
9095
9097
|
this.win32 = !!opt.win32 || isWindows;
|
|
9096
9098
|
this.newer = !!opt.newer;
|
|
@@ -9123,12 +9125,12 @@ var require_unpack = __commonJS({
|
|
|
9123
9125
|
}
|
|
9124
9126
|
}
|
|
9125
9127
|
[CHECKPATH](entry) {
|
|
9128
|
+
const p = normPath(entry.path);
|
|
9129
|
+
const parts = p.split("/");
|
|
9126
9130
|
if (this.strip) {
|
|
9127
|
-
const parts = normPath(entry.path).split("/");
|
|
9128
9131
|
if (parts.length < this.strip) {
|
|
9129
9132
|
return false;
|
|
9130
9133
|
}
|
|
9131
|
-
entry.path = parts.slice(this.strip).join("/");
|
|
9132
9134
|
if (entry.type === "Link") {
|
|
9133
9135
|
const linkparts = normPath(entry.linkpath).split("/");
|
|
9134
9136
|
if (linkparts.length >= this.strip) {
|
|
@@ -9137,10 +9139,19 @@ var require_unpack = __commonJS({
|
|
|
9137
9139
|
return false;
|
|
9138
9140
|
}
|
|
9139
9141
|
}
|
|
9142
|
+
parts.splice(0, this.strip);
|
|
9143
|
+
entry.path = parts.join("/");
|
|
9144
|
+
}
|
|
9145
|
+
if (isFinite(this.maxDepth) && parts.length > this.maxDepth) {
|
|
9146
|
+
this.warn("TAR_ENTRY_ERROR", "path excessively deep", {
|
|
9147
|
+
entry,
|
|
9148
|
+
path: p,
|
|
9149
|
+
depth: parts.length,
|
|
9150
|
+
maxDepth: this.maxDepth
|
|
9151
|
+
});
|
|
9152
|
+
return false;
|
|
9140
9153
|
}
|
|
9141
9154
|
if (!this.preservePaths) {
|
|
9142
|
-
const p = normPath(entry.path);
|
|
9143
|
-
const parts = p.split("/");
|
|
9144
9155
|
if (parts.includes("..") || isWindows && /^[a-z]:\.\.$/i.test(parts[0])) {
|
|
9145
9156
|
this.warn("TAR_ENTRY_ERROR", `path contains '..'`, {
|
|
9146
9157
|
entry,
|