From 6a37b3a57ac457a679b84930a67c233c15f5ac41 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" <41898282+github-actions[bot]@users.noreply.github.com> Date: Thu, 28 May 2026 02:48:34 +0000 Subject: [PATCH] Rebuild --- lib/entry-points.js | 32 ++++++++++++++++++++++++-------- 1 file changed, 24 insertions(+), 8 deletions(-) diff --git a/lib/entry-points.js b/lib/entry-points.js index 78a5f058a..a1ca953bb 100644 --- a/lib/entry-points.js +++ b/lib/entry-points.js @@ -125031,7 +125031,7 @@ var require_tmp = __commonJS({ cb(null, path28.join(parentDir, path28.basename(pathToResolve))); }); } else { - fs30.realpath(path28, cb); + fs30.realpath(pathToResolve, cb); } }); } @@ -125063,16 +125063,31 @@ var require_tmp = __commonJS({ ].join(""); return path28.join(tmpDir, opts.dir, name); } + function _assertPath(option, value) { + if (typeof value !== "string") { + throw new Error(`${option} option must be a string, got "${typeof value}".`); + } + if (value.includes("..")) { + throw new Error("Relative value not allowed"); + } + return value; + } function _assertOptionsBase(options) { if (!_isUndefined(options.name)) { const name = options.name; if (path28.isAbsolute(name)) throw new Error(`name option must not contain an absolute path, found "${name}".`); const basename2 = path28.basename(name); - if (basename2 === ".." || basename2 === "." || basename2 !== name) + if (basename2 === ".." || basename2 === "." || basename2 !== name) { throw new Error(`name option must not contain a path, found "${name}".`); + } } - if (!_isUndefined(options.template) && !options.template.match(TEMPLATE_PATTERN)) { - throw new Error(`Invalid template, found "${options.template}".`); + if (!_isUndefined(options.template)) { + if (typeof options.template !== "string") { + throw new Error(`template option must be a string, got "${typeof options.template}".`); + } + if (!options.template.match(TEMPLATE_PATTERN)) { + throw new Error(`Invalid template, found "${options.template}".`); + } } if (!_isUndefined(options.tries) && isNaN(options.tries) || options.tries < 0) { throw new Error(`Invalid tries, found "${options.tries}".`); @@ -125082,15 +125097,16 @@ var require_tmp = __commonJS({ options.detachDescriptor = !!options.detachDescriptor; options.discardDescriptor = !!options.discardDescriptor; options.unsafeCleanup = !!options.unsafeCleanup; - options.prefix = _isUndefined(options.prefix) ? "" : options.prefix; - options.postfix = _isUndefined(options.postfix) ? "" : options.postfix; + options.prefix = _isUndefined(options.prefix) ? "" : _assertPath("prefix", options.prefix); + options.postfix = _isUndefined(options.postfix) ? "" : _assertPath("postfix", options.postfix); + options.template = _isUndefined(options.template) ? void 0 : _assertPath("template", options.template); } function _getRelativePath(option, name, tmpDir, cb) { if (_isUndefined(name)) return cb(null); _resolvePath(name, tmpDir, function(err, resolvedPath) { if (err) return cb(err); const relativePath = path28.relative(tmpDir, resolvedPath); - if (!resolvedPath.startsWith(tmpDir)) { + if (relativePath.startsWith("..") || path28.isAbsolute(relativePath)) { return cb(new Error(`${option} option must be relative to "${tmpDir}", found "${relativePath}".`)); } cb(null, relativePath); @@ -125100,7 +125116,7 @@ var require_tmp = __commonJS({ if (_isUndefined(name)) return; const resolvedPath = _resolvePathSync(name, tmpDir); const relativePath = path28.relative(tmpDir, resolvedPath); - if (!resolvedPath.startsWith(tmpDir)) { + if (relativePath.startsWith("..") || path28.isAbsolute(relativePath)) { throw new Error(`${option} option must be relative to "${tmpDir}", found "${relativePath}".`); } return relativePath;