fix: check if output parameter is located inside root (#896)

diplodoc-platform · Nov 18, 2024 · 69296e7 · 69296e7
1 parent d91a614
commit 69296e7
Showing 1 changed file with 10 additions and 1 deletion.
diff --git a/src/services/includers/batteries/unarchive.ts b/src/services/includers/batteries/unarchive.ts
@@ -4,6 +4,8 @@ import {Headers, extract} from 'tar-stream';
 
 import type {PassThrough} from 'stream';
 
+import {getRealPath} from '@diplodoc/transform/lib/utilsFS';
+
 import {IncluderFunctionParams} from '../../../models';
 
 const name = 'unarchive';
@@ -87,7 +89,14 @@ async function includerFunction(params: IncluderFunctionParams<Params>) {
 
     const contentPath = index === 0 ? join(writeBasePath, input) : join(readBasePath, input);
 
-    const writePath = join(writeBasePath, output);
+    const writePath = getRealPath(join(writeBasePath, output));
+
+    if (!writePath.startsWith(writeBasePath)) {
+        throw new UnarchiveIncluderError(
+            `Expected the output parameter to be located inside project root, got: ${output}`,
+            output,
+        );
+    }
 
     try {
         await pipeline(contentPath, writePath);