From afd9bdf5b59f5fcb35efad38503117c7c0d9b7b9 Mon Sep 17 00:00:00 2001
From: "aikido[bot]" <aikido[bot]@users.noreply.github.com>
Date: Fri, 25 Oct 2024 11:42:46 +0000
Subject: [PATCH] Fix for Potential file inclusion attack via file path
 construction

---
 lib-es5/walker.js | 3 +++
 1 file changed, 3 insertions(+)

diff --git a/lib-es5/walker.js b/lib-es5/walker.js
index abeb60cb..283eb2ce 100644
--- a/lib-es5/walker.js
+++ b/lib-es5/walker.js
@@ -536,6 +536,9 @@ class Walker {
         record.body = body;
     }
     async stepDerivatives_ALIAS_AS_RELATIVE(record, marker, derivative) {
+        if (path_1.default.dirname(record.file).includes('../') || path_1.default.dirname(record.file).includes('..\\') || derivative.alias.includes('../') || derivative.alias.includes('..\\')) {
+            throw new Error('Invalid path detected');
+        }
         const file = (0, common_1.normalizePath)(path_1.default.join(path_1.default.dirname(record.file), derivative.alias));
         let stat;
         try {