diff --git a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb index 3b30be3bfb1..c26604e3ce3 100644 --- a/npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb +++ b/npm_and_yarn/lib/dependabot/npm_and_yarn/file_fetcher.rb @@ -159,6 +159,8 @@ def path_dependencies(fetched_files) path_dependency_details(fetched_files).each do |name, path| path = path.gsub(PATH_DEPENDENCY_CLEAN_REGEX, "") + raise PathDependenciesNotReachable, "#{name} at #{path}" if path.start_with?("/") + filename = path # NPM/Yarn support loading path dependencies from tarballs: # https://docs.npmjs.com/cli/pack.html @@ -234,6 +236,8 @@ def path_dependency_details_from_manifest(file) select { |_, v| v.is_a?(String) && v.start_with?(*path_starts) }. map do |name, path| path = path.gsub(PATH_DEPENDENCY_CLEAN_REGEX, "") + raise PathDependenciesNotReachable, "#{name} at #{path}" if path.start_with?("/") + path = File.join(current_dir, path) unless current_dir.nil? [name, Pathname.new(path).cleanpath.to_path] end diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/file_fetcher_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/file_fetcher_spec.rb index 973b10c5e10..050644893ef 100644 --- a/npm_and_yarn/spec/dependabot/npm_and_yarn/file_fetcher_spec.rb +++ b/npm_and_yarn/spec/dependabot/npm_and_yarn/file_fetcher_spec.rb @@ -158,6 +158,23 @@ end end end + + context "with a path dependency that is an absolute path" do + before do + stub_request(:get, File.join(url, "package.json?ref=sha")). + with(headers: { "Authorization" => "token token" }). + to_return( + status: 200, + body: fixture("github", "package_json_with_path_content_file_absolute.json"), + headers: json_header + ) + end + + it "raises PathDependenciesNotReachable" do + expect { file_fetcher_instance.files }. + to raise_error(Dependabot::PathDependenciesNotReachable) + end + end end context "with a yarn.lock but no package-lock.json file" do diff --git a/npm_and_yarn/spec/fixtures/github/package_json_with_path_content_file_absolute.json b/npm_and_yarn/spec/fixtures/github/package_json_with_path_content_file_absolute.json new file mode 100644 index 00000000000..21408900289 --- /dev/null +++ b/npm_and_yarn/spec/fixtures/github/package_json_with_path_content_file_absolute.json @@ -0,0 +1,18 @@ +{ + "name": "package.json", + "path": "sample/table-storage/package.json", + "sha": "cbc64de1d80ca35d0fc3c33c37e784b05cb50e52", + "size": 1741, + "url": "https://api.github.com/repos/nestjs/azure-database/contents/sample/table-storage/package.json?ref=master", + "html_url": "https://github.com/nestjs/azure-database/blob/master/sample/table-storage/package.json", + "git_url": "https://api.github.com/repos/nestjs/azure-database/git/blobs/cbc64de1d80ca35d0fc3c33c37e784b05cb50e52", + "download_url": "https://raw.githubusercontent.com/nestjs/azure-database/master/sample/table-storage/package.json", + "type": "file", + "content": "ewogICJuYW1lIjogInRhYmxlLXN0b3JhZ2UiLAogICJ2ZXJzaW9uIjogIjAu\nMC4xIiwKICAiZGVzY3JpcHRpb24iOiAiIiwKICAiYXV0aG9yIjogIiIsCiAg\nImxpY2Vuc2UiOiAiTUlUIiwKICAic2NyaXB0cyI6IHsKICAgICJwcmVidWls\nZCI6ICJyaW1yYWYgZGlzdCIsCiAgICAiYnVpbGQiOiAibmVzdCBidWlsZCIs\nCiAgICAiZm9ybWF0IjogInByZXR0aWVyIC0td3JpdGUgXCJzcmMvKiovKi50\nc1wiIFwidGVzdC8qKi8qLnRzXCIiLAogICAgInN0YXJ0IjogIm5lc3Qgc3Rh\ncnQiLAogICAgInN0YXJ0OmRldiI6ICJuZXN0IHN0YXJ0IC0td2F0Y2giLAog\nICAgInN0YXJ0OmRlYnVnIjogIm5lc3Qgc3RhcnQgLS1kZWJ1ZyAtLXdhdGNo\nIiwKICAgICJzdGFydDpwcm9kIjogIm5vZGUgZGlzdC9tYWluIiwKICAgICJs\naW50IjogInRzbGludCAtcCB0c2NvbmZpZy5qc29uIC1jIHRzbGludC5qc29u\nIiwKICAgICJ0ZXN0IjogImplc3QiLAogICAgInRlc3Q6d2F0Y2giOiAiamVz\ndCAtLXdhdGNoIiwKICAgICJ0ZXN0OmNvdiI6ICJqZXN0IC0tY292ZXJhZ2Ui\nLAogICAgInRlc3Q6ZGVidWciOiAibm9kZSAtLWluc3BlY3QtYnJrIC1yIHRz\nY29uZmlnLXBhdGhzL3JlZ2lzdGVyIC1yIHRzLW5vZGUvcmVnaXN0ZXIgbm9k\nZV9tb2R1bGVzLy5iaW4vamVzdCAtLXJ1bkluQmFuZCIsCiAgICAidGVzdDpl\nMmUiOiAiamVzdCAtLWNvbmZpZyAuL3Rlc3QvamVzdC1lMmUuanNvbiIKICB9\nLAogICJkZXBlbmRlbmNpZXMiOiB7CiAgICAiQG5lc3Rqcy9henVyZS1kYXRh\nYmFzZSI6ICJmaWxlOi8vLi4vLi4vIiwKICAgICJAbmVzdGpzL2NvbW1vbiI6\nICJeOC4wLjAiLAogICAgIkBuZXN0anMvY29yZSI6ICJeOC4wLjAiLAogICAg\nIkBuZXN0anMvcGxhdGZvcm0tZXhwcmVzcyI6ICJeOC4wLjAiLAogICAgInJl\nZmxlY3QtbWV0YWRhdGEiOiAiXjAuMS4xMyIsCiAgICAicmltcmFmIjogIl4z\nLjAuMCIsCiAgICAicnhqcyI6ICJeNy4wLjAiCiAgfSwKICAiZGV2RGVwZW5k\nZW5jaWVzIjogewogICAgIkBuZXN0anMvY2xpIjogIl44LjAuMCIsCiAgICAi\nQG5lc3Rqcy9zY2hlbWF0aWNzIjogIl45LjAuMCIsCiAgICAiQG5lc3Rqcy90\nZXN0aW5nIjogIl44LjAuMCIsCiAgICAiQHR5cGVzL2V4cHJlc3MiOiAiXjQu\nMTcuMyIsCiAgICAiQHR5cGVzL2plc3QiOiAiXjI5LjAuMCIsCiAgICAiQHR5\ncGVzL25vZGUiOiAiXjE2LjAuMCIsCiAgICAiQHR5cGVzL3N1cGVydGVzdCI6\nICJeMi4wLjgiLAogICAgImplc3QiOiAiXjI5LjAuMCIsCiAgICAicHJldHRp\nZXIiOiAiXjIuMi4xIiwKICAgICJzdXBlcnRlc3QiOiAiXjYuMC4wIiwKICAg\nICJ0cy1qZXN0IjogIl4yOS4wLjAiLAogICAgInRzLWxvYWRlciI6ICJeOS4w\nLjAiLAogICAgInRzLW5vZGUiOiAiXjEwLjAuMCIsCiAgICAidHNjb25maWct\ncGF0aHMiOiAiXjQuMC4wIiwKICAgICJ0c2xpbnQiOiAiXjYuMC4wIiwKICAg\nICJ0eXBlc2NyaXB0IjogIl40LjAuMCIKICB9LAogICJqZXN0IjogewogICAg\nIm1vZHVsZUZpbGVFeHRlbnNpb25zIjogWwogICAgICAianMiLAogICAgICAi\nanNvbiIsCiAgICAgICJ0cyIKICAgIF0sCiAgICAicm9vdERpciI6ICJzcmMi\nLAogICAgInRlc3RSZWdleCI6ICIuc3BlYy50cyQiLAogICAgInRyYW5zZm9y\nbSI6IHsKICAgICAgIl4uK1xcLih0fGopcyQiOiAidHMtamVzdCIKICAgIH0s\nCiAgICAiY292ZXJhZ2VEaXJlY3RvcnkiOiAiLi9jb3ZlcmFnZSIsCiAgICAi\ndGVzdEVudmlyb25tZW50IjogIm5vZGUiCiAgfQp9Cg==\n", + "encoding": "base64", + "_links": { + "self": "https://api.github.com/repos/nestjs/azure-database/contents/sample/table-storage/package.json?ref=master", + "git": "https://api.github.com/repos/nestjs/azure-database/git/blobs/cbc64de1d80ca35d0fc3c33c37e784b05cb50e52", + "html": "https://github.com/nestjs/azure-database/blob/master/sample/table-storage/package.json" + } +}