Skip to content

Commit 2fa52c0

Browse files
silkentrancesilkentrance
committed
fix #246: remove any double quotes or single quotes from os.tmpdir also sanitize dir option and template option
1 parent c7028f2 commit 2fa52c0

File tree

3 files changed

+86
-6
lines changed

3 files changed

+86
-6
lines changed

lib/tmp.js

Lines changed: 19 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -542,13 +542,28 @@ function _assertAndSanitizeOptions(options) {
542542
* @private
543543
*/
544544
function _resolvePath(name, tmpDir) {
545-
if (name.startsWith(tmpDir)) {
546-
return path.resolve(name);
545+
const sanitizedName = _sanitizeName(name);
546+
if (sanitizedName.startsWith(tmpDir)) {
547+
return path.resolve(sanitizedName);
547548
} else {
548-
return path.resolve(path.join(tmpDir, name));
549+
return path.resolve(path.join(tmpDir, sanitizedName));
549550
}
550551
}
551552

553+
/**
554+
* Sanitize the specified path name by removing all quote characters.
555+
*
556+
* @param name
557+
* @returns {string}
558+
* @private
559+
*/
560+
function _sanitizeName(name) {
561+
if (_isBlank(name)) {
562+
return name;
563+
}
564+
return name.replace(/["']/g, '');
565+
}
566+
552567
/**
553568
* Asserts whether specified name is relative to the specified tmpDir.
554569
*
@@ -637,7 +652,7 @@ function setGracefulCleanup() {
637652
* @returns {string} the currently configured tmp dir
638653
*/
639654
function _getTmpDir() {
640-
return path.resolve(os.tmpdir());
655+
return path.resolve(_sanitizeName(os.tmpdir()));
641656
}
642657

643658
// Install process exit listener

test/name-sync-test.js

Lines changed: 33 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ const
77
inbandStandardTests = require('./name-inband-standard'),
88
tmp = require('../lib/tmp');
99

10+
const isWindows = os.platform() === 'win32';
1011

1112
describe('tmp', function () {
1213
describe('#tmpNameSync()', function () {
@@ -39,7 +40,9 @@ describe('tmp', function () {
3940
describe('on issue #176', function () {
4041
const origfn = os.tmpdir;
4142
it('must fail on invalid os.tmpdir()', function () {
42-
os.tmpdir = function () { return undefined; };
43+
os.tmpdir = function () {
44+
return undefined;
45+
};
4346
try {
4447
tmp.tmpNameSync();
4548
assert.fail('should have failed');
@@ -50,6 +53,35 @@ describe('tmp', function () {
5053
}
5154
});
5255
});
56+
describe('on issue #246', function () {
57+
const origfn = os.tmpdir;
58+
it('must produce correct name on os.tmpdir() returning path that includes double quotes', function () {
59+
const tmpdir = isWindows ? '"C:\\Temp With Spaces"' : '"/tmp with spaces"';
60+
os.tmpdir = function () {
61+
return tmpdir;
62+
};
63+
const name = tmp.tmpNameSync();
64+
try {
65+
assert.ok(name.indexOf('"') === -1);
66+
assert.ok(name.startsWith(tmpdir.replace(/["']/g, '')));
67+
} finally {
68+
os.tmpdir = origfn;
69+
}
70+
});
71+
it('must produce correct name on os.tmpdir() returning path that includes single quotes', function () {
72+
const tmpdir = isWindows ? '\'C:\\Temp With Spaces\'' : '\'/tmp with spaces\'';
73+
os.tmpdir = function () {
74+
return tmpdir;
75+
};
76+
const name = tmp.tmpNameSync();
77+
try {
78+
assert.ok(name.indexOf('\'') === -1);
79+
assert.ok(name.startsWith(tmpdir.replace(/["']/g, '')));
80+
} finally {
81+
os.tmpdir = origfn;
82+
}
83+
});
84+
});
5385
});
5486

5587
describe('when running standard outband tests', function () {

test/name-test.js

Lines changed: 34 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -7,6 +7,7 @@ const
77
inbandStandardTests = require('./name-inband-standard'),
88
tmp = require('../lib/tmp');
99

10+
const isWindows = os.platform() === 'win32';
1011

1112
describe('tmp', function () {
1213
describe('#tmpName()', function () {
@@ -62,6 +63,39 @@ describe('tmp', function () {
6263
});
6364
});
6465
});
66+
describe('on issue #246', function () {
67+
const origfn = os.tmpdir;
68+
it('must produce correct name on os.tmpdir() returning path that includes double quotes', function (done) {
69+
const tmpdir = isWindows ? '"C:\\Temp With Spaces"' : '"/tmp with spaces"';
70+
os.tmpdir = function () { return tmpdir; };
71+
tmp.tmpName(function (err, name) {
72+
try {
73+
assert.ok(name.indexOf('"') === -1);
74+
assert.ok(name.startsWith(tmpdir.replace(/["']/g, '')));
75+
} catch (err) {
76+
return done(err);
77+
} finally {
78+
os.tmpdir = origfn;
79+
}
80+
done();
81+
});
82+
});
83+
it('must produce correct name on os.tmpdir() returning path that includes single quotes', function (done) {
84+
const tmpdir = isWindows ? '\'C:\\Temp With Spaces\'' : '\'/tmp with spaces\'';
85+
os.tmpdir = function () { return tmpdir; };
86+
tmp.tmpName(function (err, name) {
87+
try {
88+
assert.ok(name.indexOf('\'') === -1);
89+
assert.ok(name.startsWith(tmpdir.replace(/["']/g, '')));
90+
} catch (err) {
91+
return done(err);
92+
} finally {
93+
os.tmpdir = origfn;
94+
}
95+
done();
96+
});
97+
});
98+
});
6599
});
66100

67101
describe('when running standard outband tests', function () {
@@ -71,4 +105,3 @@ describe('tmp', function () {
71105
});
72106
});
73107
});
74-

0 commit comments

Comments
 (0)