fix(pluginHandlers): properly check if path is inside another (apache…

…#1014)
secondVISION · Jul 8, 2020 · 8ef8d99 · 8ef8d99
1 parent 80ad635
commit 8ef8d99
Show file tree

Hide file tree

Showing 4 changed files with 18 additions and 2 deletions.
diff --git a/bin/templates/cordova/lib/pluginHandlers.js b/bin/templates/cordova/lib/pluginHandlers.js
@@ -16,6 +16,7 @@
 
 var fs = require('fs-extra');
 var path = require('path');
+var isPathInside = require('is-path-inside');
 var events = require('cordova-common').events;
 var CordovaError = require('cordova-common').CordovaError;
 
@@ -209,12 +210,12 @@ function copyFile (plugin_dir, src, project_dir, dest, link) {
     // check that src path is inside plugin directory
     var real_path = fs.realpathSync(src);
     var real_plugin_path = fs.realpathSync(plugin_dir);
-    if (real_path.indexOf(real_plugin_path) !== 0) { throw new CordovaError('File "' + src + '" is located outside the plugin directory "' + plugin_dir + '"'); }
+    if (!isPathInside(real_path, real_plugin_path)) { throw new CordovaError('File "' + src + '" is located outside the plugin directory "' + plugin_dir + '"'); }
 
     dest = path.resolve(project_dir, dest);
 
     // check that dest path is located in project directory
-    if (dest.indexOf(project_dir) !== 0) { throw new CordovaError('Destination "' + dest + '" for source file "' + src + '" is located outside the project'); }
+    if (!isPathInside(dest, project_dir)) { throw new CordovaError('Destination "' + dest + '" for source file "' + src + '" is located outside the project'); }
 
     fs.ensureDirSync(path.dirname(dest));
     if (link) {

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -29,6 +29,7 @@
     "cordova-common": "^4.0.1",
     "execa": "^4.0.2",
     "fs-extra": "^9.0.1",
+    "is-path-inside": "^3.0.2",
     "nopt": "^4.0.3",
     "properties-parser": "^0.3.1",
     "which": "^2.0.2"

diff --git a/spec/unit/pluginHandlers/common.spec.js b/spec/unit/pluginHandlers/common.spec.js
@@ -108,6 +108,15 @@ describe('common platform handler', function () {
             expect(s).toHaveBeenCalled();
             expect(s).toHaveBeenCalledWith(java_file, resolvedDest);
         });
+
+        it('should handle relative paths when checking for sub paths', () => {
+            fs.outputFileSync(java_file, 'contents');
+            const relativeProjectPath = path.relative(process.cwd(), project_dir);
+
+            expect(() => {
+                copyFile(test_dir, java_file, relativeProjectPath, dest);
+            }).not.toThrow();
+        });
     });
 
     describe('copyNewFile', function () {