From a86fddcb2c7b4ab8e47069700464a74d19c32b6d Mon Sep 17 00:00:00 2001 From: Romain Deltour Date: Wed, 27 Sep 2017 17:32:37 +0200 Subject: [PATCH] fix: prevent data to leak outside the report dir MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Copy relevant EPUB resources (e.g. images) to the report directory under the `data` subdirectory using the path relative to the EPUB’s container root, to prevent any leakage. - Add an integration test for issue #33. Closes #18, #33 --- src/checker/checker-nightmare.js | 5 +++- tests/__tests__/report_files.test.js | 33 +++++++++++++++++++-------- tests/data/issue33.epub | Bin 0 -> 10107 bytes 3 files changed, 28 insertions(+), 10 deletions(-) create mode 100644 tests/data/issue33.epub diff --git a/src/checker/checker-nightmare.js b/src/checker/checker-nightmare.js index 5b4fb1e0..c38c7585 100644 --- a/src/checker/checker-nightmare.js +++ b/src/checker/checker-nightmare.js @@ -66,7 +66,10 @@ function checkSingle(spineItem, epub, nightmare) { winston.info(`- ${numIssues} issues found`); if (results.data != null && results.data.images != null) { results.data.images.forEach((img) => { - img.filepath = path.resolve(path.dirname(spineItem.filepath), img.path); + const imageFullPath = path.resolve(path.dirname(spineItem.filepath), img.path); + const imageRelPath = path.relative(epub.dir, imageFullPath); + img.filepath = imageFullPath; + img.path = imageRelPath; img.location = `${spineItem.relpath}#epubcfi(${img.cfi})`; }); } diff --git a/tests/__tests__/report_files.test.js b/tests/__tests__/report_files.test.js index e6b084a4..f69d2ad3 100644 --- a/tests/__tests__/report_files.test.js +++ b/tests/__tests__/report_files.test.js @@ -21,13 +21,19 @@ afterEach(() => { tmpdir.removeCallback(); }); -function runAce(epub) { +function runAce(epub, { + cwd = process.cwd(), + outpath = outdir.name, + tmppath = tmpdir.name, + verbose = false, + silent = true, + } = {}) { return ace(epub, { - cwd: process.cwd(), - outdir: outdir.name, - tmpdir: tmpdir.name, - verbose: true, - silent: true, + cwd, + outdir: outpath, + tmpdir: tmppath, + verbose, + silent, }); } @@ -39,7 +45,16 @@ test('unexisting EPUB fails with an error', () => { test('report dir is correctly created', async () => { expect.assertions(1); - return runAce(path.join(__dirname, '../data/base-epub-30.epub')).then(() => { - expect(fs.existsSync(path.join(outdir.name, 'report.html'))).toBeTruthy(); - }); + await runAce(path.join(__dirname, '../data/base-epub-30.epub')); + expect(fs.existsSync(path.join(outdir.name, 'report.html'))).toBeTruthy(); +}); + +test('files don’t leak outside the report dir', async () => { + // Add another directory level to prevent any leak in the user's temp dir + const outpath = path.join(outdir.name, 'report'); + fs.mkdirSync(outpath); + expect.assertions(2); + await runAce(path.join(__dirname, '../data/issue33.epub'), { outpath }); + expect(fs.existsSync(path.join(outpath, 'report.html'))).toBeTruthy(); + expect(fs.existsSync(path.join(outpath, 'data/EPUB/images/img_001.jpg'))).toBeTruthy(); }); diff --git a/tests/data/issue33.epub b/tests/data/issue33.epub new file mode 100644 index 0000000000000000000000000000000000000000..458dc86d02ef75feb7de7b3e8f2e00cda6eaa588 GIT binary patch literal 10107 zcmZ{q1yCJLzV?ye!JXhP3GVK$!3h%F?cl*VxVr{-cX!utfZ%d)cPHrO-Mf4D{p#E8 zsh*yh>gQkmv{g;@PgxH710nwv^911a4zNiLO^`LgMdJJS4t?Wi!w2as~V^} z+XGBbQ+qA@nX!U>ON+RFNemNrigGgdru85-3=GmOI$9+B>=X+=gcZ1-fnk*~zEMq7 zJ8MOLgWG}@_~xS}>4O2mwyw_B11Y^}OA{Jj_tG=tR%{l`lKw-3vE3E=(g1Idu@~`M zg9Z8ZJ&|>LUWw}p)rH41x9(8c^r9Ju;9i%PHrHC)-8!n>rPqCB!DL(=W|>4%tB1wLZZxR zo;6RWY1UOQJi#T05F^6O>DE1!P&_VuyN5TXq5C({Q0rF^jfD0Di_esyHa!1_AQ3J2 zKncIwkf3{!ZbV43S3HA%cO9^iSuO*=v%m4Z%kJMZ$-lbJ!r9h_$=HI0$=Ke`+0@S2 zfSH+v(fzNl>M`SpeavVQ_b=hGs3Q$+vB~U6gF!hPLyh8}5~TIn{H@d_zRrlZ^?rcVlC^#~GvP z*H4@-fxOT)$HxbU5NPla2Qvi1nK0~CkL!+*5MpA&7!VL<5E$NY-*av)RQ-PU*yoSu zKDiZ8guJf%^q-@ae)6je%h(rFBH>bE>P2D&_|+w6kwN!o+rO^iKK(W&*-^q9ggD37 z5YuM$#b{8T1wp{E{gQzb5XZ~e_M37NE~$iw+{-|}8h&+!ochfojOR}wKk>Q3rUBv0 z2}EEPrzFTB(Ekt~`Wl@Co=6zf+e0@%3!<9v5&x~`|CHPeubTS3Zaz%69tk@y8o>Vx z^|4WvQP3=lV*$-+OMO-Lc9gC4O3>@6Vz6+<5><%LD`rIKkb}lYee_TNtrU#XH*z;v zXD_k+I4)g!Z7rqDWNw<$ioCM&VtbEkCI-!BKDU==XsG-=W25c(88+5z0T7*+`c2!z zulBN-IgZBcbe)y11~+G)(@)PV?EI{}ob@#=4IOoD!Ru=)LZpNkzWIR=H?ePvB#GT3 z%*?O2vM7Gh(ZLB>(OGfPanb%{1fmh>0(`}2z?=?h-29(40d&nnaY*FN4T|m=dLP-) z6(;AZHVgr3?CVFkP8MCPPv0}{YkyN!*K291Q4krTyybRehH)rbk zY+rgjjNEe-O#WpzmXC?pboVD@fALMjsOr&!Q#E) zA)WFL_4NTFukn6yd+_*vI>!eKx$co*J{p_*X3Tcqtsn%3g@r{WMMWef$q~3BQonR_ z9^pA8zA8O%TR4K7E3Y1^hfGf|-#Ajb;Ob=A%0iH{EbC>fW)i5oD6ZuJE({zqOG^pB zUg)gMmv*T=X-QTAlDKU*-)5Fw?|um^S9ef|a*M96)ywH(IAVpl0+IKYL#f?umnnLp zwR=jp;BnUEk)h~emGcmn+S6Ck?rC?)IH@qH+MO7BbI5(4CQkPu!`HI&;llJmSnKN8 zX##K0FR0@uIfwn1MWG`p(SgVR6O+A*1!))`*7Lq{#}&cg|pM!`JZ zT3rF7k^(LU0c~thjdz-^%p)Ts#-36NTZZ%>7!_|k^H=aYaA|q9uF3kR~ zYc0TYEoAIifgaO_QyGu4&$5!JacsdKaeMDP+{e_f0j;;?`P9FuPq{B|mN6wpDW3`| z)aiR#QF%YrTQE^LYw9OQ>HLmO)Jit*YJDrZ+Z5@|n=Lcc#`y*|x}>QJ86ILv+zkoi zTgjyvS|y}MX;xI~RyigZxp8+(!*R%P_a`c?HavFo$Q@VZb9Bf0F#$EoKlO$(DYQ8p zHV`dH(0*b#)2;S+d430*-@@cj1fL=3sQJ>;Q*-}o6j1CDMAJ^X;u zPi%4U^(@7F0@*jHoi}gsl}f@S`s$@2#HqKR^cLlvN zvkpnhvv}fini2@QF1^<8t&oUKe>MOzRyHvCrZdXhiPOH0eLCvnl3!TMIP0>Rnp)vL z)8+Kp_O(fF=q6)3tr5dJEP>D&lieY(yb6l@(qe&kV{#vsW~Xg_MRcxE_(~x3Ra|dm zRkQo9UnPYb_8Z9F_e*EPIdO9{K3{&PIgq@k->;LZ}+tq(BH-^jYD4e1p}5eH~<6ySGU3Ml{v>gi=a-iJOQk;KRR~^Z4KYJyeCyuz|f75%}X8Jl~5Zrl|o@Qd$B3Xs? zkm6#ly#V9#T-J4>!pADmHF}Z~=UhKnI%$;QK(^X}o^0KZSaK>Ir0Knz{TLIcJiBn04kJh+WPH^J6Y}5^GR8 zn$F>tA+=HBK$@cd)^(`2)?oYfS9ynu~Q-zkeM`dKrd+3NA2P@1P5V zoJ5l2s#8CCJF^i*p67uT!ee@hqFyN)E3oGP6$wtb*G9Z5owQ^mrxXvi6EUS_uU9}jC_qlFtEu1kXG0;T0#p4XMYxPok`*B!|FF*bu zP#;#i2l3iB(uc=@Vwh5Czui|_Kkql(InykIq!ArvQ0$h!hqvizTge4(oLg@>8nr+3 z$TwKI{=L*);x|40B+J@#T26HUhpfuFaMIK#Iyrd_Bk*{|cKwPj+idtEYwJD-;)?0s zRA~vmNX}_5^eDK5f$2Xob~4Tgb^((Na~1@BZJ`NvbG%3haI`*h5nLjX6!;cIbL#;r zh|BU>P7#h#h-&7ZF)AfiHPQk_9&oA@X74crV`sj1s+!ZUgm#5|cZF^%S@m)8PQ`1H zYDZ}6P7YeZ)T)Y%p_lHT=ZtvWTe}akCx@d(w>8EJUwZiJ-pyC@GUf2uHL({E{C+KoRO-p4^Y=H#}@x*wk&vjR(!bntmK zSIu*cx0b=bbp<^+Nzd+huMBh=clm%5=Uq3$NWTH_KkD#zu_Ow17R74FTa_5UMWzZq zB*0jx!9nKoqtpsd@}lZ{y6j%GkJ)k%`*?~rM`#U8>Nq~O!qlCWL8l_iAvm|!Ag*!k zt7*(lt3(8+hjMJwn0_Pa#cVRhJng2qv=Goj-KF%PJQKgvxVezy)Fu)D9NFaGSbk<> zRp|Ag%CP3lf{FpJ_1xb9YrB6a5(NiU1Y{wH5=WNm_EaV!tr#=PKR5b=9c&xnQd1Ox zYoYOxK__+Ayqrt0cy|W_{UP7>HA?)LQz6n zjf#;-0F{ci?G~CD7+5C)xfQ^dUL~}Urja;|J`@p$ zNM-^=8+NXov3+XKrMBWUV^SLjxW2dwa1ARVCBl>2qUPW0xJFir9?V_fmr{a#<8RRi z&P^%-T}+D_JGM6;@fbcZto>$s`_7M<$E06Lf|;jW$0A=tf|j(bx{CBu)s#jvPa^dkGvG5O!NdFfgFh)Dgw2^Yiiz} zL@EeE${RDwbsfo3nWV_%#3N@LqI5z;xAJ_eSl(Xoh@UZnFextYUD3}=d-}=0k{MkQ zwpe-PkT_^WqEOeDUSNgS*dLTOVjiVPLm4K#YJzp*DfjnE{IDQ@fCgu-_A!CyM&DI* zZ9Ybk#}ZhDC}mf6c$VGnrnDj8yT~L5FKPw z#ta0G&@U=n7>9w(RgK!e(WwU0Y0Z}JRY)79PYjHFYSuW+4ilbX5#pDv4K)C@Ffb-%FjCptI9JpshPTLRbWS1g46}|7cBg zqD-&6y}-Olne7p^KABK2cO%UOdzqX0scO$sn%p>EShKI8qFf#IfU*aZfAyJ?yT{rk zQE*xM7^o=eKNx)%mh>m}K;79*W z=Uc@W(i#T*mTioE6oFAZ zwB*Q&=Jf?ltR$MS6gR7O4QAk^{`mzSl|M;DnUuDWu0dOQ4t5U$=wQQ)wrywOfb?dg zKiEIU!qF1TW`r7@Q) zFn!3ol4XW4ahfux6Za6x(a!qr*7lj-%34GaLvbrinZ^9ldjj%Ab=mPLpDP zV9ojj^60+W-*rATPhz=4zD7^pn=D*R$_%4r=R0;3|5esNJ6~|4YcJ#LRUiqohKYTG zxMk>4(aN~(B42hIPkAY-dxi1sXO%;^ZmlFsYfzu+gHDQ6P5S|ZD~4W-V5< z^1&Ay5ww;W@qDY*bl8-ZRMC|gyO4~jEMEi;c0^ZrIP5#d)9>ddlLvvh6D17P&`9+v zFJ2KCz<$1|PcE?QMnr?Rz>~pp5O}6d#k6a7D5>`4VDbmTN{c(|zVe;f_qnQUh{En> z1rV!%jn$DSAg0F4gId)q@eb6nQp$%q_5pAdS(C(FUA~YG1Je5$RSZ?yJi@Bx$Et#S zngcZ@492>nO!ST!6e)$UQ?L~ib(6YdNiW665d>O-MJLh3n*w;?9U^34*b`Hyj*_xr4X^ckAC! z;sAYb!cCPllzV-kn@(QTM)VJSqQAadE!Kl<2P^N=BdlXd%*hl5q9@oQDqmla{;YY30!B;49la&_WBlGMvoW$SE zju(guV;&2$T-PMLQD}Kkp8K`m6iUtXaa}3D`eY7+B+L;#QiY`XsQfCJI zo!BbspZEC~)nF_cC4<5cZ@5>NX^$oCo0TQA%eF@f&7q&0z}mggw4QK~&}tjj7{T)S zD_qZvA<<}y;cQv)>Q~Ai)pBC*uLz9@y%(FvzzQ%&f}^h6P}24(Q1foOr9BC!!9$YY zR%SAFT3E2TiHgRl1p*hNcv>W2+N#N@-8%8)6HFMOlwZ)C)Gn`t2e|ZjHo7i*mj2;8*i*}>$y7D7SNbw)0A})LxtM$9 zbGvB(q=8~grQtus!H9Z}lH+2UGW8Gf@=|>!4I?2r0m0Xv9D}rRHb%{JB-$6%&5d_Z zno`Ca7UsSoUg*p8p5;u3(-QS2%l;GA z{tLT}EO9aPw6||`U&GzN09#Rt>lWiwH8YOeCm5ML<5J<(D&921kw?qS8o%-b1mzY% zMEY^@K5reG`x{B|2`rKNSH07c$v@&)D;~cl3Wf^Kmsmn=#r5QxrWNR!-G0}7r{sCm zd?O?GIqZkRwvg;Z)|S#+6!Rm`340vO9?H#C+t^~*ECdaO36Uw{{&>_p;<_G6)a5;hQd=l@~mc^{|LPogr6&1cXIE( z^x8))T6fqV=KWKRXUW&U++f%n&aO2D7C{2@iV$aAm34Qlb?@v;ff2X&SQdC1_k@JK zD>m0b6{!fonDKpVLFbM8?Ak>*x&HE1zUxqBc)nEGpOU@&5?Ia4DXpXY(_|YrCu8%_ za;!JQ?1fjF_6WS7QKgSKBv#fh3bC>1a%VzN%T}}@jJ-Rt(Q&hv4zJQ>ggv^=SJupj zf(#d!_L z=G!U9U`IMUZca{^*TjVb{e`r4nsH|GS1R)xd%EfkHzyZ@aNqVJt6B79#8a`{{yKw+ zpB4y!c9}tj66cpqMtsODOwIe1OEEYa;O>WrSU?A{Ss15CSj|*>)Y$;j=nUCvSm-Dj z3w_VV=50l~2@Q*o(zrdH!WlHzl)}X8nI?-4JRs_{;bp=I#_lYL9=m7#vGu8gwJiwo zBO$*H$_(`&iDF^ySva8->RR8?93Syl$aO>H18j#Mpj_-@F_;Z*L^XV$x#d@%!*zDfZ64|}SRU5y(qklkBz-{m*|T2=pFgl_g6 zCsq#lV>5;W#XGKvq zv;WlaDH~)HKA&cXZP4-a#g+K{D05`Nr<2h*lePZ#s;Da4nqh#S;1%HWZD)H{By&!3 zE2vY392}9!J5W&dQh6KoM4QkpEh=B|^i9L0uz|Prq z4>C9wGPDi`VA(5m+S2???)g>RFV^Z``phYWUE4IltYjs;y8t)PL^3w zTv+2%r!1Rahg$+KO(__YH^<3|$^28L2K#WV#w{AdP7RRn`A{nAQ44a8eauC=tv}1V z@I*u2eW_ES)n8c>fFs$7kwoyOuep(n^Rgw@IUcIMQFW; zqfYFdNxVcUgv#@YcW>!@JvbnsEp+5?PX<=nyW}2#p%3wP!2EYgtf;0S1Y^mS!tzhQbk1+O8 ztyCb9sR%}8_;@R=-%yB{iWfgi?hLsf7M=-+<&NINgUM>r#9f4{Sty5RX0m2zE*gfMOwoyf#J>rI@8 z!TKMwf5{m$Q>aVoo_8>-#2BkTLw~KU+9H`U@s0``Ubrg}h6p8n67AArsUNv4c{?cA zHM2Ag(;G*d#fVx`z}22c$V&eq(xW0<+5=lz)t)aiulC($BrzJu&=>0T)L&lWcRT5C z_z`>K%uRtFRe?g9r^O{CP>xWNBRkeXPW^7n==H0(M@kIBI@+n4f(Dm}YkfYCh+D)$ z?k)0g)KRJEoaX}%PEbq+1`ol#RrV^v>F^=w{j{dt5u6fa4B0mB= zXClqb2Y&}{NaD6b@G$YgsGqtgXXr0z)frthl>NA(YUk}CpTq;$>`7Rd9MnrOw5$2$ zRO&4bXoD;CAnmBih$PauXxKdyZFqKub=4*d}**p0=${`jp^l<#u`Y;jJ2Z$ zc#}yVRPIW@Ut-{FRZ<^xuM#;<{GKxZK^K44nSf!5ZZ^f#0)rsjARU*oUDs`K5`@7M zo93TAfmOZgQ9;sk(v3g-`4h`0qi2XGhb;CgxN3 zWtaGus?sPBm|f^ihb69EY#nf1E(QvmPWnUi=tZ{o#Lx*2=erFD&_#HiT)}LeoxAw2 zEoCPr=H7N6vUY<+Vt{#95>gt#x+;Xp`c;1ORP7B={}uks2NkK4t$ftE7LN25?kKz_ zF#d?rodB?n(_mPNK|(NoVJZ3dQG*#L^dwFFNb+;1I@>p2YJ+>~5buKe$Po^22?euh zb5D&%nrgJAITFnE%nc^P6dlMq`?6IT7*Ym_mpRz%+~|@`PiGKQuv@5&T^Xz!^RVKc17`dQE)@lpMw$Zk9O4sY55Kt%NNCjd%bpAYUkRL4}HtR2Ej zw%_@ukuAP_h;CK#x)a3itd3+SHeSmD?(_m7(l0nZ;tPI&%IYIM- zPwvTz9HBO`MSrAeIe~@h5Jh=zTiOxN>U-1XTK{ znrfrnWv6@+M_Q>O@T z$2zs@#8nW2p`{EnQGDvE*ezSH7C0^~$g!w|iEU<2$CYsWR3MW@Fb!K5K`HK-2k}tq zC`r5*uc*9f^Nx2pEKDA7BIZl>^wB?$nPQTVyZbj>+UCAzP{U0?{#hB5uZkK%s8)4s zMlp|+qL~VOL`i~iUz{9tYo$wEG!i8gx542%G=N-Y`3gzpz!9zCZK~gGODugGMZ_tU zaWpRrFHc~&W-qDkFAb*4lQlev#I>QIg;1EBzf>2(5{}l;e4&DDJQr4El*yEuDY!F2 zZr$LAH8Cn1kDec)VKJ&IyB? zoqmJ<_i6sXJHIe-;2>T1eu|Iuj(_|g`eA42`cGUTS_B11iY0!Z72p6N)D$5JT+Qhe z1%?NG@IRI5$%DPm z(FyMYv4D$=qc-9Xw4*!*O>!5oZ@{^L2eS%#P~%pebRD;JFPT7576tTIpX74ns}NeB zf4ggYcL(E&J>viFZ1moip}j(2`cT1YHr+nxcd;!%$K75r!uNnThvC7hk$J<`JZl%QO+- zqU%RDyAd=jdL(Snhk}(XxFxhg$4W{BS?Tjr-v2JWqnUMtQIjh~5+&$HhO}&*v03hV zrr7z{ANFLRSAv-#+x4og9g~0FmS%_TE%}WP?s`@kERRpEZeEYynd2CQYiB*0`4I9) zUUqIuO5xd-d_Ik3H|a>&eUVLe)-SA>p?jMpU$U@rB<8af=CL6gh#Z9H4B>Oxh&+|F zxbEaW%{%3(|E^rQ)gBVeaPB!vKQkl2_{L2&x{4+GkP~WML#$gM^D3*&2s!%srV1-N zd|l}o!>_45AioeBjztL9b6ro&N$*6!IZV7<`%VQe1_g(AnwFHUI(Vc?TPNaA_S)+6 z-_Vl0_u-1UXqBpbA0~+RA;Wnu6eQF{zQ`y_{)3}2w6rq?FuL2?=tYbCFGC|Bky_a> zof%jZkYkPe!;dA?ia8TOf&PbQge-c>+qD_Enkz=Igb#TX>6@0iobrI84hR>ic)Lp% zxXdnb8p!seXcIMSl1Cd4jx%7CrhieDbqPOgpt7ZwW^yko?GFNb(AP3zalk%wq1&^q z8dtEgHKwM zkvpWa93&Jm^nZu6{^=H?!2hqOe<54{tNQPN)?ao1N(KJB@Av-~*ZRBmKM_iQ>E8SI zUF-5*{6qWSd8NMx`%m!CU%~!L1^(vmOY9%P{(ltc??L|4p7U3L|7{Tm`9FjF-wyP5 w?SER)|JGts{8Rh4_5FACf0|(bR`*f