mirror of
https://github.com/pnpm/pnpm.git
synced 2026-05-29 11:11:43 -04:00
6481f6c161
* fix(patching/apply-patch): reject patch paths that escape the patched directory A malicious .patch file with `diff --git a/../../X` headers could otherwise write, delete, or rename files outside the patched package as the user running `pnpm install`. * refactor(patching/apply-patch): narrow caught errors via util.types.isNativeError Drops the `any`-typed catch + eslint-disable in favor of the cross-realm-safe narrowing pattern documented in CLAUDE.md. * refactor(patching/apply-patch): replace error helper with PatchPathEscapesError class * chore(patching/apply-patch): reword comment to satisfy cspell
148 lines
4.6 KiB
TypeScript
148 lines
4.6 KiB
TypeScript
import fs from 'fs'
|
|
import path from 'path'
|
|
import { applyPatchToDir } from '@pnpm/patching.apply-patch'
|
|
import { fixtures } from '@pnpm/test-fixtures'
|
|
import { tempDir } from '@pnpm/prepare'
|
|
import { globalWarn } from '@pnpm/logger'
|
|
import { jest } from '@jest/globals'
|
|
|
|
const f = fixtures(__dirname)
|
|
|
|
jest.mock('@pnpm/logger', () => {
|
|
const originalModule = jest.requireActual<object>('@pnpm/logger')
|
|
return {
|
|
...originalModule,
|
|
globalWarn: jest.fn(),
|
|
}
|
|
})
|
|
|
|
beforeEach(() => {
|
|
jest.mocked(globalWarn).mockClear()
|
|
})
|
|
|
|
function prepareDirToPatch () {
|
|
const dir = tempDir()
|
|
f.copy('patch-target.txt', path.join(dir, 'patch-target.txt'))
|
|
return dir
|
|
}
|
|
|
|
describe('applyPatchToDir() without allowFailure', () => {
|
|
const allowFailure = false
|
|
it('should succeed when patch is applicable', () => {
|
|
const patchFilePath = f.find('applicable.patch')
|
|
const successfullyPatched = f.find('successfully-patched.txt')
|
|
const patchedDir = prepareDirToPatch()
|
|
expect(
|
|
applyPatchToDir({
|
|
allowFailure,
|
|
patchFilePath,
|
|
patchedDir,
|
|
})
|
|
).toBe(true)
|
|
const patchTarget = path.join(patchedDir, 'patch-target.txt')
|
|
expect(fs.readFileSync(patchTarget, 'utf-8')).toBe(fs.readFileSync(successfullyPatched, 'utf-8'))
|
|
})
|
|
it('should fail when patch fails to apply', () => {
|
|
const patchFilePath = f.find('non-applicable.patch')
|
|
const patchedDir = prepareDirToPatch()
|
|
expect(() => {
|
|
applyPatchToDir({
|
|
allowFailure,
|
|
patchFilePath,
|
|
patchedDir,
|
|
})
|
|
}).toThrow(`Could not apply patch ${patchFilePath} to ${patchedDir}`)
|
|
expect(fs.readFileSync(path.join(patchedDir, 'patch-target.txt'), 'utf-8')).toBe(fs.readFileSync(f.find('patch-target.txt'), 'utf-8'))
|
|
})
|
|
it('should fail on invalid patch', () => {
|
|
const patchFilePath = f.find('invalid.patch')
|
|
expect(() => {
|
|
applyPatchToDir({
|
|
allowFailure,
|
|
patchFilePath,
|
|
patchedDir: tempDir(),
|
|
})
|
|
}).toThrow(`Applying patch "${patchFilePath}" failed: hunk header integrity check failed`)
|
|
})
|
|
it('should fail if the patch file is not found', () => {
|
|
expect(() => {
|
|
applyPatchToDir({
|
|
allowFailure,
|
|
patchFilePath: 'does-not-exist.patch',
|
|
patchedDir: tempDir(),
|
|
})
|
|
}).toThrow('Patch file not found')
|
|
})
|
|
})
|
|
|
|
describe('applyPatchToDir() with allowFailure', () => {
|
|
const allowFailure = true
|
|
it('should succeed when patch is applicable', () => {
|
|
const patchFilePath = f.find('applicable.patch')
|
|
const successfullyPatched = f.find('successfully-patched.txt')
|
|
const patchedDir = prepareDirToPatch()
|
|
expect(
|
|
applyPatchToDir({
|
|
allowFailure,
|
|
patchFilePath,
|
|
patchedDir,
|
|
})
|
|
).toBe(true)
|
|
const patchTarget = path.join(patchedDir, 'patch-target.txt')
|
|
expect(fs.readFileSync(patchTarget, 'utf-8')).toBe(fs.readFileSync(successfullyPatched, 'utf-8'))
|
|
})
|
|
it('should warn when patch fails to apply', () => {
|
|
const patchFilePath = f.find('non-applicable.patch')
|
|
const patchedDir = prepareDirToPatch()
|
|
expect(
|
|
applyPatchToDir({
|
|
allowFailure,
|
|
patchFilePath,
|
|
patchedDir,
|
|
})
|
|
).toBe(false)
|
|
expect(jest.mocked(globalWarn).mock.calls).toStrictEqual([[
|
|
`Could not apply patch ${patchFilePath} to ${patchedDir}`,
|
|
]])
|
|
expect(fs.readFileSync(path.join(patchedDir, 'patch-target.txt'), 'utf-8')).toBe(fs.readFileSync(f.find('patch-target.txt'), 'utf-8'))
|
|
})
|
|
it('should fail on invalid patch', () => {
|
|
const patchFilePath = f.find('invalid.patch')
|
|
expect(() => {
|
|
applyPatchToDir({
|
|
allowFailure,
|
|
patchFilePath,
|
|
patchedDir: tempDir(),
|
|
})
|
|
}).toThrow(`Applying patch "${patchFilePath}" failed: hunk header integrity check failed`)
|
|
})
|
|
it('should fail if the patch file is not found', () => {
|
|
expect(() => {
|
|
applyPatchToDir({
|
|
allowFailure,
|
|
patchFilePath: 'does-not-exist.patch',
|
|
patchedDir: tempDir(),
|
|
})
|
|
}).toThrow('Patch file not found')
|
|
})
|
|
})
|
|
|
|
describe('applyPatchToDir() path traversal', () => {
|
|
it.each([false, true])('should reject paths that escape the patched directory (allowFailure=%s)', (allowFailure) => {
|
|
const patchFilePath = f.find('path-traversal.patch')
|
|
const patchedDir = tempDir()
|
|
const sentinel = path.join('/tmp', 'pnpm-patch-traversal-pwned')
|
|
try {
|
|
fs.unlinkSync(sentinel)
|
|
} catch {}
|
|
expect(() => {
|
|
applyPatchToDir({
|
|
allowFailure,
|
|
patchFilePath,
|
|
patchedDir,
|
|
})
|
|
}).toThrow(/patch path escapes target dir/)
|
|
expect(fs.existsSync(sentinel)).toBe(false)
|
|
})
|
|
})
|