style: Format code

.dockerignore

@@ -4,4 +4,5 @@ node_modules/
 .github/
 .gitignore
 Dockerfile*
+LICENSE
 README.md

Dockerfile

@@ -1,18 +1,12 @@
 FROM node:16-bullseye
 
-RUN apt-get update \
-    && apt-get install -y \
-		build-essential zip unzip \
-    && apt-get clean \
-	&& rm -rf /var/lib/apt/lists/*
-
-COPY . /usr/local/share/file-manager
-RUN cd /usr/local/share/file-manager \
-	&& npm install .
-
-VOLUME /data
-WORKDIR /data
-
 ENV NODE_ENV=production
 
+COPY . /usr/local/share/file-manager
+RUN cd /usr/local/share/file-manager \
+	&& npm install . \
+	&& rm -rf ~/.npm ~/.cache
+
+WORKDIR /data
+
 CMD ["node", "/usr/local/share/file-manager/index.js"]

index.js

@@ -154,7 +154,11 @@ app.use((req, res, next) => {
 });
 
 function relative(...paths) {
-  return paths.reduce((a, b) => path.join(a, b), process.cwd());
+  const finalPath = paths.reduce((a, b) => path.join(a, b), process.cwd());
+  if (path.relative(process.cwd(), finalPath).startsWith("..")) {
+    throw new Error("Failed to resolve path outside of the working directory");
+  }
+  return finalPath;
 }
 function flashify(req, obj) {
   let error = req.flash("error");

package-lock.json

@@ -1,12 +1,12 @@
 {
   "name": "file-manager",
-  "version": "0.2.0",
+  "version": "0.2.4",
   "lockfileVersion": 2,
   "requires": true,
   "packages": {
     "": {
       "name": "file-manager",
-      "version": "0.2.0",
+      "version": "0.2.4",
       "dependencies": {
         "@primer/octicons": "^16.1.1",
         "archiver": "^5.3.0",

package.json

@@ -1,7 +1,7 @@
 {
   "name": "file-manager",
   "description": "A simple file manager",
-  "version": "0.2.2",
+  "version": "0.2.4",
   "scripts": {
     "format": "prettier --write .",
     "start": "node index.js"