Skip to content

arborist: sanitize packageName in path construction for linked strategy#9078

Open
KevinZhao wants to merge 2 commits intonpm:latestfrom
KevinZhao:fix/sanitize-package-name-paths-v2
Open

arborist: sanitize packageName in path construction for linked strategy#9078
KevinZhao wants to merge 2 commits intonpm:latestfrom
KevinZhao:fix/sanitize-package-name-paths-v2

Conversation

@KevinZhao
Copy link

@KevinZhao KevinZhao commented Mar 7, 2026
edited
Loading

Summary

Add sanitizeName() to strip path traversal sequences (../) from package names before using them in filesystem path construction in isolated-reifier.js.

Package names from package-lock.json are used directly in path.join() calls, which resolves ../ sequences. This adds sanitization at all 9 locations where packageName is interpolated into paths.

Changes

  • Add sanitizeName() helper that replaces ../ with _ and strips leading /
  • Apply to: getKey(), #generateChild(), #externalProxy(), #assignCommonProperties(), createIsolatedTree(), #processEdges(), #processDeps()

Test plan

  • sanitizeName("../../../../tmp/foo") returns ____tmp/foo
  • sanitizeName("@scope/name") returns @scope/name (scoped packages unaffected)
  • sanitizeName("normal-package") returns normal-package (no-op for valid names)

@KevinZhao KevinZhao requested a review from a team as a code owner March 7, 2026 15:05
@wraithgar
Copy link
Member

wraithgar commented Mar 7, 2026

This diff includes formatting changes from the project linter (prettier)

You're gonna need to undo this in order for us to review this. The cli has its own linting rules and linter.

@KevinZhao
arborist: sanitize packageName in path construction for linked strategy
9469012 
Add sanitizeName() to strip path traversal sequences from package names
before using them in filesystem path construction. Applied at all 9
locations where packageName is interpolated into path.join() calls.
@KevinZhao KevinZhao force-pushed the fix/sanitize-package-name-paths-v2 branch from c2bdfde to 9469012 Compare March 8, 2026 05:57
@KevinZhao
Copy link
Author

KevinZhao commented Mar 8, 2026

Done — force-pushed a clean commit. The diff now contains only the sanitizeName logic changes (12 insertions, 8 deletions). All formatting noise has been removed.

@wraithgar
Copy link
Member

wraithgar commented Mar 9, 2026

This problem is solved elsewhere by using @npmcli/name-from-folder. Our pretend nodes need this, and probably need a better packageName getter.

@KevinZhao
arborist: use @npmcli/name-from-folder for pretend node packageName
2bcad9e 
Replace custom sanitizeName with @npmcli/name-from-folder to derive
safe package names from filesystem paths instead of trusting
package.json name field. This addresses path traversal via malicious
packageName in isolated mode path construction.

Per maintainer feedback: pretend nodes now get a better packageName
getter using the existing @npmcli/name-from-folder dependency.
@KevinZhao
Copy link
Author

KevinZhao commented Mar 10, 2026

Thanks @wraithgar — rewritten to use @npmcli/name-from-folder as suggested.

The pretend node packageName getter in #assignCommonProperties now derives the name from node.path via nameFromFolder, falling back to node.packageName and node.name. This ensures path-safe names at the source rather than sanitizing at each usage point.

The diff is now just 3 lines changed (1 import + 2 logic changes) using the existing @npmcli/name-from-folder dependency.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@KevinZhao @wraithgar