File tree Expand file tree Collapse file tree 1 file changed +12
-12
lines changed Expand file tree Collapse file tree 1 file changed +12
-12
lines changed Original file line number Diff line number Diff line change @@ -317,18 +317,18 @@ exports.setBrowserstackCypressCliDependency = (bsConfig) => {
317317
318318exports . deleteSupportFileOrDir = ( fileOrDirPath ) => {
319319 try {
320- if ( ! fileOrDirPath . includes ( ".." ) ) {
321- const resolvedPath = path . resolve ( fileOrDirPath ) ;
322- if ( fs . existsSync ( resolvedPath ) ) {
323- if ( fs . lstatSync ( resolvedPath ) . isDirectory ( ) ) {
324- fs . readdirSync ( resolvedPath ) . forEach ( ( file ) => {
325- const currentPath = path . join ( resolvedPath , file ) ;
326- fs . unlinkSync ( currentPath ) ;
327- } ) ;
328- fs . rmdirSync ( resolvedPath ) ;
329- } else {
330- fs . unlinkSync ( resolvedPath ) ;
331- }
320+ // Sanitize the input to remove any characters that could be used for directory traversal
321+ const sanitizedPath = fileOrDirPath . replace ( / ( \. \. \/ | \. \/ | \/ \/ ) / g , '' ) ;
322+ const resolvedPath = path . resolve ( sanitizedPath ) ;
323+ if ( fs . existsSync ( resolvedPath ) ) {
324+ if ( fs . lstatSync ( resolvedPath ) . isDirectory ( ) ) {
325+ fs . readdirSync ( resolvedPath ) . forEach ( ( file ) => {
326+ const currentPath = path . join ( resolvedPath , file ) ;
327+ fs . unlinkSync ( currentPath ) ;
328+ } ) ;
329+ fs . rmdirSync ( resolvedPath ) ;
330+ } else {
331+ fs . unlinkSync ( resolvedPath ) ;
332332 }
333333 }
334334 } catch ( err ) { }
You can’t perform that action at this time.
0 commit comments