fix: prevent data to leak outside the report dir

- Copy relevant EPUB resources (e.g. images) to the report directory under the `data` subdirectory using the path relative to the EPUB’s container root, to prevent any leakage. - Add an integration test for issue #33. Closes #18, #33
daisy · Sep 28, 2017 · a86fddc · a86fddc
1 parent af2ce2a
commit a86fddc
Show file tree

Hide file tree

Showing 3 changed files with 28 additions and 10 deletions.
diff --git a/src/checker/checker-nightmare.js b/src/checker/checker-nightmare.js
@@ -66,7 +66,10 @@ function checkSingle(spineItem, epub, nightmare) {
       winston.info(`- ${numIssues} issues found`);
       if (results.data != null && results.data.images != null) {
         results.data.images.forEach((img) => {
-          img.filepath = path.resolve(path.dirname(spineItem.filepath), img.path);
+          const imageFullPath = path.resolve(path.dirname(spineItem.filepath), img.path);
+          const imageRelPath = path.relative(epub.dir, imageFullPath);
+          img.filepath = imageFullPath;
+          img.path = imageRelPath;
           img.location = `${spineItem.relpath}#epubcfi(${img.cfi})`;
         });
       }

diff --git a/tests/__tests__/report_files.test.js b/tests/__tests__/report_files.test.js
@@ -21,13 +21,19 @@ afterEach(() => {
   tmpdir.removeCallback();
 });
 
-function runAce(epub) {
+function runAce(epub, {
+    cwd = process.cwd(),
+    outpath = outdir.name,
+    tmppath = tmpdir.name,
+    verbose = false,
+    silent = true,
+  } = {}) {
   return ace(epub, {
-    cwd: process.cwd(),
-    outdir: outdir.name,
-    tmpdir: tmpdir.name,
-    verbose: true,
-    silent: true,
+    cwd,
+    outdir: outpath,
+    tmpdir: tmppath,
+    verbose,
+    silent,
   });
 }
 
@@ -39,7 +45,16 @@ test('unexisting EPUB fails with an error', () => {
 
 test('report dir is correctly created', async () => {
   expect.assertions(1);
-  return runAce(path.join(__dirname, '../data/base-epub-30.epub')).then(() => {
-    expect(fs.existsSync(path.join(outdir.name, 'report.html'))).toBeTruthy();
-  });
+  await runAce(path.join(__dirname, '../data/base-epub-30.epub'));
+  expect(fs.existsSync(path.join(outdir.name, 'report.html'))).toBeTruthy();
+});
+
+test('files don’t leak outside the report dir', async () => {
+  // Add another directory level to prevent any leak in the user's temp dir
+  const outpath = path.join(outdir.name, 'report');
+  fs.mkdirSync(outpath);
+  expect.assertions(2);
+  await runAce(path.join(__dirname, '../data/issue33.epub'), { outpath });
+  expect(fs.existsSync(path.join(outpath, 'report.html'))).toBeTruthy();
+  expect(fs.existsSync(path.join(outpath, 'data/EPUB/images/img_001.jpg'))).toBeTruthy();
 });
diff --git a/tests/data/issue33.epub b/tests/data/issue33.epub