mirror of
https://github.com/pnpm/pnpm.git
synced 2026-05-29 11:11:43 -04:00
6481f6c161
* fix(patching/apply-patch): reject patch paths that escape the patched directory A malicious .patch file with `diff --git a/../../X` headers could otherwise write, delete, or rename files outside the patched package as the user running `pnpm install`. * refactor(patching/apply-patch): narrow caught errors via util.types.isNativeError Drops the `any`-typed catch + eslint-disable in favor of the cross-realm-safe narrowing pattern documented in CLAUDE.md. * refactor(patching/apply-patch): replace error helper with PatchPathEscapesError class * chore(patching/apply-patch): reword comment to satisfy cspell
8 lines
283 B
Diff
8 lines
283 B
Diff
diff --git a/../../../../../../../../../../tmp/pnpm-patch-traversal-pwned b/../../../../../../../../../../tmp/pnpm-patch-traversal-pwned
|
|
new file mode 100644
|
|
index 0000000..3b18e51
|
|
--- /dev/null
|
|
+++ b/../../../../../../../../../../tmp/pnpm-patch-traversal-pwned
|
|
@@ -0,0 +1 @@
|
|
+pwned
|