16 lines
462 B
JavaScript
16 lines
462 B
JavaScript
import { realpathSync } from "fs";
|
|
import path from "path";
|
|
export default function isSafePath({ filePath, allowedDir, }) {
|
|
const resolved = path.resolve(filePath);
|
|
if (!resolved.startsWith(allowedDir + path.sep) && resolved !== allowedDir) {
|
|
return false;
|
|
}
|
|
try {
|
|
const real = realpathSync(resolved);
|
|
return (real.startsWith(allowedDir + path.sep) || real === allowedDir);
|
|
}
|
|
catch {
|
|
return false;
|
|
}
|
|
}
|