daohualiuxiang
/
node
mirror of https://github.com/nodejs/node.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
node/lib
History
RafaelGSS 8306457110 path: fix path traversal in normalize() on Windows 
Without this patch, on Windows, normalizing a relative path might result
in a path that Windows considers absolute. In rare cases, this might
lead to path traversal vulnerabilities in user code.

We attempt to detect those cases and return a relative path instead.

Co-Authored-By: Tobias Nießen <tobias.niessen@tuwien.ac.at>
PR-URL: https://github.com/nodejs-private/node-private/pull/555
Backport-PR-URL: https://github.com/nodejs-private/node-private/pull/665
CVE-ID: CVE-2025-23084
 		2025-01-21 15:53:46 -03:00
..
assert
dns dns: make promise API fully constructed from `lib/internal/dns/promises` 2022-06-20 19:58:45 +01:00
fs
inspector inspector: refactor `inspector/promises` to be more robust 2022-10-19 18:39:31 +00:00
internal src: fix HTTP2 mem leak on premature close and ERR_PROTO 2025-01-21 15:53:42 -03:00
path
readline lib: remove `Symbol[Async]Dispose` polyfills 2024-10-07 09:47:44 +00:00
stream stream: add pipeline() for webstreams 2023-02-02 19:45:42 +00:00
test test_runner: do not expose internal loader 2024-08-13 15:17:50 +02:00
timers lib: remove unnecessary optional chaining 2024-11-07 15:59:12 +00:00
util
_http_agent.js lib: remove startsWith/endsWith primordials for char checks 2024-10-19 10:18:10 +00:00
_http_client.js http: add setDefaultHeaders option to http.request 2024-12-12 16:43:10 +00:00
_http_common.js lib: prefer optional chaining 2024-09-24 19:48:15 +00:00
_http_incoming.js lib: prefer optional chaining 2024-09-24 19:48:15 +00:00
_http_outgoing.js http: don't emit error after destroy 2024-10-28 12:57:58 +00:00
_http_server.js http: add diagnostic channel `http.server.response.created` 2024-11-02 13:46:20 +00:00
_stream_duplex.js
_stream_passthrough.js
_stream_readable.js
_stream_transform.js
_stream_wrap.js
_stream_writable.js
_tls_common.js lib: prefer logical assignment 2024-10-09 06:42:16 +00:00
_tls_wrap.js lib: prefer logical assignment 2024-10-09 06:42:16 +00:00
assert.js assert: make partialDeepStrictEqual work with urls and File prototypes 2025-01-09 17:35:54 +00:00
async_hooks.js lib: prefer logical assignment 2024-10-09 06:42:16 +00:00
buffer.js util: harden more built-in classes against prototype pollution 2024-12-16 22:33:08 +00:00
child_process.js lib: replace `createDeferredPromise` util with `Promise.withResolvers` 2024-10-19 10:13:58 +02:00
cluster.js cluster: use ObjectPrototypeHasOwnProperty 2023-05-25 16:04:19 +00:00
console.js
constants.js
crypto.js crypto: runtime deprecate crypto.fips 2024-09-25 22:31:03 +00:00
dgram.js dgram: support blocklist in udp 2024-12-15 14:19:27 +00:00
diagnostics_channel.js diagnostics_channel: fix unsubscribe during publish 2024-10-14 10:55:39 +00:00
dns.js dns: honor the order option 2024-10-17 13:18:28 +00:00
domain.js lib: the REPL should survive deletion of Array.prototype methods 2024-09-17 15:08:43 +00:00
eslint.config_partial.mjs module: use buffer.toString base64 2024-12-21 11:02:30 +00:00
events.js Revert "events: add hasEventListener util for validate" 2024-12-19 18:16:48 +01:00
fs.js fs: deprecate passing invalid types in `fs.existsSync` 2025-01-10 13:04:14 +01:00
http.js http: expose websockets 2024-07-08 15:55:43 +00:00
http2.js http2: add server handshake utility 2024-01-12 16:09:48 +00:00
https.js lib: remove `Symbol[Async]Dispose` polyfills 2024-10-07 09:47:44 +00:00
inspector.js lib: remove `Symbol[Async]Dispose` polyfills 2024-10-07 09:47:44 +00:00
module.js module: add `findPackageJSON` util 2024-10-25 20:40:54 +00:00
net.js net: support blocklist in net.connect 2024-12-06 04:36:24 +00:00
os.js src: improve `node:os` userInfo performance 2024-11-08 19:40:25 +00:00
path.js path: fix path traversal in normalize() on Windows 2025-01-21 15:53:46 -03:00
perf_hooks.js lib: add trailing commas to all public core modules 2023-02-28 12:10:24 +01:00
process.js src: disambiguate terms used to refer to builtins and addons 2022-08-09 01:36:49 +08:00
punycode.js punycode: limit deprecation warning 2025-01-18 18:01:54 +00:00
querystring.js lib: prefer logical assignment 2024-10-09 06:42:16 +00:00
quic.js src, quic: refine more of the quic implementation 2025-01-06 10:47:36 -08:00
readline.js lib: prefer logical assignment 2024-10-09 06:42:16 +00:00
repl.js module: add prefix-only modules to `module.builtinModules` 2024-12-14 07:35:00 +00:00
sea.js sea: support sea.getRawAsset() 2024-02-02 15:25:34 +01:00
sqlite.js lib,src,test,doc: add node:sqlite module 2024-07-09 20:33:38 +00:00
stream.js stream: change stream to use index instead of `for...of` 2024-08-23 07:31:55 +00:00
string_decoder.js string_decoder: refactor encoding validation 2024-09-23 22:49:53 +00:00
sys.js lib: add note about removing `node:sys` module 2024-09-05 21:53:52 +02:00
test.js test_runner: add assert.register() API 2025-01-04 18:30:04 +00:00
timers.js lib: prefer logical assignment 2024-10-09 06:42:16 +00:00
tls.js tls: remove prototype primordials 2024-07-07 00:56:04 +00:00
trace_events.js trace_events: use private fields instead of symbols for `Tracing` 2023-12-28 23:20:22 +00:00
tty.js tty: initialize winSize array with values 2024-08-11 06:32:13 +00:00
url.js lib: remove redundant global regexps 2024-12-10 12:18:18 +00:00
util.js util: rename CallSite.column to columnNumber 2025-01-15 13:28:53 +00:00
v8.js lib: handle Float16Array in node:v8 serdes 2024-12-07 18:24:28 +00:00
vm.js lib: add validation for options in compileFunction 2024-12-06 06:53:06 +00:00
wasi.js wasi: make returnOnExit true by default 2023-04-11 16:35:52 -04:00
worker_threads.js src,worker: add isInternalWorker 2025-01-14 18:24:30 +00:00
zlib.js zlib: deprecate classes usage without `new` 2024-11-29 20:55:03 +00:00