diff --git a/package.json b/package.json index 8c075869..86b51bbb 100644 --- a/package.json +++ b/package.json @@ -31,7 +31,7 @@ "regenerate-docs": "node --trace-warnings ./build/scripts/regenerate-docs.js", "update-data-sources": "node build/scripts/update-data-sources.js" }, - "packageManager": "pnpm@9.1.2", + "packageManager": "pnpm@9.8.0", "simple-git-hooks": { "post-merge": "pnpm i && pnpm build" }, @@ -45,10 +45,10 @@ "@types/cors": "^2.8.17", "@types/express": "^4.17.21", "@types/morgan": "^1.9.9", - "@types/node": "^20.14.0", + "@types/node": "^20.16.1", "@types/split2": "^4.2.3", - "jasmine": "^5.1.0", + "jasmine": "^5.2.0", "simple-git-hooks": "^2.11.1", - "typescript": "^5.4.5" + "typescript": "^5.5.4" } } diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml index a1559aa9..67662151 100644 --- a/pnpm-lock.yaml +++ b/pnpm-lock.yaml @@ -58,20 +58,20 @@ importers: specifier: ^1.9.9 version: 1.9.9 '@types/node': - specifier: ^20.14.0 - version: 20.14.0 + specifier: ^20.16.1 + version: 20.16.1 '@types/split2': specifier: ^4.2.3 version: 4.2.3 jasmine: - specifier: ^5.1.0 - version: 5.1.0 + specifier: ^5.2.0 + version: 5.2.0 simple-git-hooks: specifier: ^2.11.1 version: 2.11.1 typescript: - specifier: ^5.4.5 - version: 5.4.5 + specifier: ^5.5.4 + version: 5.5.4 packages: @@ -110,8 +110,8 @@ packages: '@types/morgan@1.9.9': resolution: {integrity: sha512-iRYSDKVaC6FkGSpEVVIvrRGw0DfJMiQzIn3qr2G5B3C//AWkulhXgaBd7tS9/J79GWSYMTHGs7PfI5b3Y8m+RQ==} - '@types/node@20.14.0': - resolution: {integrity: sha512-5cHBxFGJx6L4s56Bubp4fglrEpmyJypsqI6RgzMfBHWUJQGWAAi8cWcgetEbZXHYXo9C2Fa4EEds/uSyS4cxmA==} + '@types/node@20.16.1': + resolution: {integrity: sha512-zJDo7wEadFtSyNz5QITDfRcrhqDvQI1xQNQ0VoizPjM/dVAODqqIUWbJPkvsxmTI0MYRGRikcdjMPhOssnPejQ==} '@types/qs@6.9.14': resolution: {integrity: sha512-5khscbd3SwWMhFqylJBLQ0zIu7c1K6Vz0uBIt915BI3zV0q1nfjRQD3RqSBcPaO6PHEF4ov/t9y89fSiyThlPA==} @@ -404,11 +404,11 @@ packages: resolution: {integrity: sha512-N3yCS/NegsOBokc8GAdM8UcmfsKiSS8cipheD/nivzr700H+nsMOxJjQnvwOcRYVuFkdH0wGUvW2WbXGmrZGbQ==} engines: {node: '>=14'} - jasmine-core@5.1.2: - resolution: {integrity: sha512-2oIUMGn00FdUiqz6epiiJr7xcFyNYj3rDcfmnzfkBnHyBQ3cBQUs4mmyGsOb7TTLb9kxk7dBcmEmqhDKkBoDyA==} + jasmine-core@5.2.0: + resolution: {integrity: sha512-tSAtdrvWybZkQmmaIoDgnvHG8ORUNw5kEVlO5CvrXj02Jjr9TZrmjFq7FUiOUzJiOP2wLGYT6PgrQgQF4R1xiw==} - jasmine@5.1.0: - resolution: {integrity: sha512-prmJlC1dbLhti4nE4XAPDWmfJesYO15sjGXVp7Cs7Ym5I9Xtwa/hUHxxJXjnpfLO72+ySttA0Ztf8g/RiVnUKw==} + jasmine@5.2.0: + resolution: {integrity: sha512-il+noV96N1BGU9/FMmc8QtAMxC8lPnXUiAvgb0o9MDZATRdxglTQe9wo6UdL049ropQL6MopDYwDlludKR6wJQ==} hasBin: true lower-case@1.1.4: @@ -636,8 +636,8 @@ packages: resolution: {integrity: sha512-TkRKr9sUTxEH8MdfuCSP7VizJyzRNMjj2J2do2Jr3Kym598JVdEksuzPQCnlFPW4ky9Q+iA+ma9BGm06XQBy8g==} engines: {node: '>= 0.6'} - typescript@5.4.5: - resolution: {integrity: sha512-vcI4UpRgg81oIRUFwR0WSIHKt11nJ7SAVlYNIu+QpqeyXP+gpQJy/Z4+F0aGxSE4MqwjyXvW/TzgkLAx2AGHwQ==} + typescript@5.5.4: + resolution: {integrity: sha512-Mtq29sKDAEYP7aljRgtPOpTvOfbwRWlS6dPRzwjdE+C0R4brX/GUyhHSecbHMFLNBLcJIPt9nl9yG5TZ1weH+Q==} engines: {node: '>=14.17'} hasBin: true @@ -655,8 +655,8 @@ packages: umap@1.0.2: resolution: {integrity: sha512-bW127HgG4H4VAD6qlqO5vCC+7bnlYvZ6A6BdwyGblkWvlEG7VYpj1bcpf3iJpvyKmkPZWDIeZDmoULz67ec7NA==} - undici-types@5.26.5: - resolution: {integrity: sha512-JlCMO+ehdEIKqlFxk6IfVoAUVmgz7cU7zD/h9XZ0qzeosSHmUJVOzSQvvYSYWXkFXC+IfLKSIffhv0sVZup6pA==} + undici-types@6.19.8: + resolution: {integrity: sha512-ve2KP6f/JnbPBFyobGHuerC9g1FYGn/F8n1LWTwNxCEzd6IfqTwUQcNXgEtmmQ6DlRrC1hrSrBnCZPokRrDHjw==} unpipe@1.0.0: resolution: {integrity: sha512-pjy2bYhSsufwWlKwPc+l3cN7+wuJlK6uz0YdJEOlQDbl6jo/YlPi4mb8agUkVC8BF7V8NuzeyPNqRksA3hztKQ==} @@ -710,7 +710,7 @@ snapshots: '@types/body-parser@1.19.5': dependencies: '@types/connect': 3.4.38 - '@types/node': 20.14.0 + '@types/node': 20.16.1 '@types/compression@1.7.5': dependencies: @@ -718,15 +718,15 @@ snapshots: '@types/connect@3.4.38': dependencies: - '@types/node': 20.14.0 + '@types/node': 20.16.1 '@types/cors@2.8.17': dependencies: - '@types/node': 20.14.0 + '@types/node': 20.16.1 '@types/express-serve-static-core@4.19.0': dependencies: - '@types/node': 20.14.0 + '@types/node': 20.16.1 '@types/qs': 6.9.14 '@types/range-parser': 1.2.7 '@types/send': 0.17.4 @@ -744,11 +744,11 @@ snapshots: '@types/morgan@1.9.9': dependencies: - '@types/node': 20.14.0 + '@types/node': 20.16.1 - '@types/node@20.14.0': + '@types/node@20.16.1': dependencies: - undici-types: 5.26.5 + undici-types: 6.19.8 '@types/qs@6.9.14': {} @@ -757,17 +757,17 @@ snapshots: '@types/send@0.17.4': dependencies: '@types/mime': 1.3.5 - '@types/node': 20.14.0 + '@types/node': 20.16.1 '@types/serve-static@1.15.7': dependencies: '@types/http-errors': 2.0.4 - '@types/node': 20.14.0 + '@types/node': 20.16.1 '@types/send': 0.17.4 '@types/split2@4.2.3': dependencies: - '@types/node': 20.14.0 + '@types/node': 20.16.1 accepts@1.3.8: dependencies: @@ -1074,12 +1074,12 @@ snapshots: optionalDependencies: '@pkgjs/parseargs': 0.11.0 - jasmine-core@5.1.2: {} + jasmine-core@5.2.0: {} - jasmine@5.1.0: + jasmine@5.2.0: dependencies: glob: 10.3.12 - jasmine-core: 5.1.2 + jasmine-core: 5.2.0 lower-case@1.1.4: {} @@ -1298,7 +1298,7 @@ snapshots: media-typer: 0.3.0 mime-types: 2.1.35 - typescript@5.4.5: {} + typescript@5.5.4: {} ucontent@2.0.0: dependencies: @@ -1316,7 +1316,7 @@ snapshots: umap@1.0.2: {} - undici-types@5.26.5: {} + undici-types@6.19.8: {} unpipe@1.0.0: {} diff --git a/utils/disk-cache.ts b/utils/disk-cache.ts index 5d03144e..4c8247e8 100644 --- a/utils/disk-cache.ts +++ b/utils/disk-cache.ts @@ -104,6 +104,12 @@ export class DiskCache { } private keyToFilePath(key: string) { - return path.join(env("DATA_DIR"), this.#path, `${key}.json`); + const baseDir = path.join(env("DATA_DIR"), this.#path); + const result = path.resolve(path.join(baseDir, `${key}.json`)); + // avoid path traversal attack + if (!result.startsWith(baseDir)) { + throw new Error(`Invalid path: ${result}`); + } + return result; } }