diff --git a/src/cli/arguments.test.ts b/src/cli/arguments.test.ts index 1385269..9e8ca96 100644 --- a/src/cli/arguments.test.ts +++ b/src/cli/arguments.test.ts @@ -1,4 +1,5 @@ import { test, expect } from '@playwright/test' +import { resolve } from 'node:path' import { parse_arguments, validate_arguments } from './arguments' test.describe('--coverage-dir', () => { @@ -12,9 +13,21 @@ test.describe('--coverage-dir', () => { expect(() => validate_arguments(parse_arguments([cov, '--coverage-dir']))).toThrowError() }) - test('valid --coverage-dir=path/to/coverage', () => { - let result = validate_arguments(parse_arguments([cov, '--coverage-dir=/path/to/coverage'])) - expect(result['coverage-dir']).toEqual('/path/to/coverage') + test('valid --coverage-dir=coverage', () => { + let result = validate_arguments(parse_arguments([cov, '--coverage-dir=coverage'])) + expect(result['coverage-dir']).toEqual(resolve('coverage')) + }) + + test('path traversal --coverage-dir=../../etc', () => { + expect(() => + validate_arguments(parse_arguments([cov, '--coverage-dir=../../etc'])), + ).toThrowError() + }) + + test('path traversal --coverage-dir=../sibling', () => { + expect(() => + validate_arguments(parse_arguments([cov, '--coverage-dir=../sibling'])), + ).toThrowError() }) }) diff --git a/src/cli/arguments.ts b/src/cli/arguments.ts index ed16d89..249360d 100644 --- a/src/cli/arguments.ts +++ b/src/cli/arguments.ts @@ -1,4 +1,5 @@ import { parseArgs } from 'node:util' +import { resolve, sep } from 'node:path' import * as v from 'valibot' const show_uncovered_options = { @@ -13,7 +14,15 @@ const reporters = { json: 'json', } as const -let CoverageDirSchema = v.pipe(v.string(), v.nonEmpty()) +let CoverageDirSchema = v.pipe( + v.string(), + v.nonEmpty(), + v.transform((value) => resolve(value)), + v.check((value) => { + let cwd = process.cwd() + return value === cwd || value.startsWith(cwd + sep) + }, 'InvalidPath'), +) // Coerce args string to number and validate that it's between 0 and 1 let RatioPercentageSchema = v.pipe( v.string(),