feat: prevent bundle unpack path traversal

j4k0xb · Aug 17, 2023 · 2b2f1f6 · 2b2f1f6
1 parent 4e9d7dc
commit 2b2f1f6
Show file tree

Hide file tree

Showing 4 changed files with 35 additions and 3 deletions.
diff --git a/src/extractor/bundle.ts b/src/extractor/bundle.ts
@@ -1,7 +1,7 @@
 import traverse from '@babel/traverse';
 import * as m from '@codemod/matchers';
 import debug from 'debug';
-import { dirname, join } from 'node:path';
+import { dirname, join, normalize } from 'node:path/posix';
 import { Module } from './module';
 
 const logger = debug('webcrack:unpack');
@@ -84,7 +84,10 @@ export class Bundle {
 
       await Promise.all(
         Array.from(this.modules.values(), async module => {
-          const modulePath = join(path, module.path);
+          const modulePath = normalize(join(path, module.path));
+          if (!modulePath.startsWith(path)) {
+            throw new Error(`detected path traversal: ${module.path}`);
+          }
           await mkdir(dirname(modulePath), { recursive: true });
           await writeFile(modulePath, module.code, 'utf8');
         })

diff --git a/src/index.ts b/src/index.ts
@@ -2,7 +2,7 @@ import generate from '@babel/generator';
 import { parse } from '@babel/parser';
 import * as m from '@codemod/matchers';
 import debug from 'debug';
-import { join } from 'node:path';
+import { join, normalize } from 'node:path';
 import deobfuscator from './deobfuscator';
 import debugProtection from './deobfuscator/debugProtection';
 import mergeObjectAssignments from './deobfuscator/mergeObjectAssignments';
@@ -143,6 +143,7 @@ export async function webcrack(
     code: outputCode,
     bundle,
     async save(path) {
+      path = normalize(path);
       if (process.env.browser) {
         throw new Error('Not implemented.');
       } else {

diff --git a/test/extractor.test.ts b/test/extractor.test.ts
@@ -1,5 +1,6 @@
 import assert from 'assert';
 import { readFile } from 'fs/promises';
+import { tmpdir } from 'os';
 import { join } from 'path';
 import { describe, expect, test } from 'vitest';
 import { webcrack } from '../src/index';
@@ -52,6 +53,13 @@ describe('extractor', () => {
   });
 });
 
+test('prevent path traversal', async () => {
+  const code = await readFile('test/samples/webpack-path-traversal.js', 'utf8');
+  const result = await webcrack(code);
+  const dir = join(tmpdir(), 'path-traversal-test');
+  await expect(result.save(dir)).rejects.toThrow('path traversal');
+});
+
 describe('paths', () => {
   test('relative paths', () => {
     expect(relativePath('./a.js', './x/y.js')).toBe('./x/y.js');

diff --git a/test/samples/webpack-path-traversal.js b/test/samples/webpack-path-traversal.js
@@ -0,0 +1,20 @@
+(function (e) {
+  var n = {};
+  function o(r) {
+    if (n[r]) {
+      return n[r].exports;
+    }
+    var a = (n[r] = {
+      i: r,
+      l: false,
+      exports: {},
+    });
+    e[r].call(a.exports, a, a.exports, o);
+    a.l = true;
+    return a.exports;
+  }
+  o.p = '';
+  o((o.s = 386));
+})({
+  '../tmp.js': function (e, t, n) {},
+});