npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2024 – Pkg Stats / Ryan Hefner

sandboxed-path

v2.0.0

Published

A simple package for sandboxing file paths in Node.js

Downloads

1

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Maintainers

hedgehog125hedgehog125

Keywords

Readme

sanboxed-path

sandboxed-path is a very simple replacement for the built-in path module. It adds a few more methods to let you sandbox paths.

Some things to note

  1. The sandboxing happens when generating paths for accessing files, which you need to do by calling one of the methods. The sandbox won't do anything if you specify a path to a file system function without first passing it through one of the sandbox functions.

  2. While I've tested it in very basic conditions, it's possible there are bugs that let you escape the sandbox (although unlikely). You should still be a bit careful when working with files.

Getting Started

In many cases, you can just start using the functions and not configure anything. Just install and import with:

npm install sandboxed-path

And

import path from "sandboxed-path";

And then use it a bit like this:

// These are all local paths, but the functions produce absolute paths
fs.writeFile(path.accessLocal("foo.txt"), "bar"); // Fine because it's in the sandbox
fs.writeFile(path.accessLocal("../foo.txt"), "bar"); // Error prevents file from being written due to the path being outside of the sandbox
fs.writeFile(path.accessOutsideLocal("../foo.txt"), "bar"); // Fine because outside local *doesn't* have sandboxing

// Again but with absolute paths
fs.writeFile(path.sandboxPath("/Users/bob/Documents/example-project/foo.txt"), "bar"); // Fine because it's in the sandbox (assuming the program is located here)
fs.writeFile(path.sandboxPath("/Users/bob/Documents/foo.txt"), "bar"); // Again, outside sandbox so the error stops it
fs.writeFile(path.accessOutside("/Users/bob/foo.txt"), "bar"); // Fine because accessOutside *doesn't* have sandboxing
fs.writeFile("/Users/bob/foo.txt", "bar"); // Fine because none of the methods were called
// ^^ This is actually identical to the line above it though, as accessOutside just returns its input. But calling the function makes it clearer that you intended to leave the sandbox

Initially the sandbox scope and base for relative paths are set to the folder the script that imported the module is in. But you might want to change one or both of these.

For example, if you've split your code up into a static and server folder, you probably want to be able to access the static folder from the server folder. You'd do this with:

path.changeSandboxScope.backOne();

This would then allow you to access everything in your project's folder.

Warning: The sandbox scope and base for relative paths are separate. While they are initially the same, you have to modify them individually. In the example above, although a folder up one can now be accessed, the paths are still relative to the folder containing the script that imported the module. See below for how to change the base for relative paths.

You can also independently change where the relative paths are measured from. You'll probably just want to do this with path.changeRelativeBasePath.matchSandbox() but there are some other methods listed in the next section...

Functions

  • sandboxPath(absolutePath : string) => sandboxedAbsolutePath : string

    Takes an absolute path and makes sure it's in the sandbox. Otherwise throws an error.

  • accessLocal(relativePath : string) => sandboxedAbsolutePath : string

    Takes a relative path, makes it absolute and makes sure it's in the sandbox. Otherwise throws an error.

  • accessOutsideLocal(relativePath : string) => notSandboxedAbsolutePath : string

    Takes a relative path and only makes it absolute. Doesn't sandbox but makes it's clearer that it's intentional.

  • changeSandboxScope/changeRelativeBasePath are objects which both contain very similar functions:

    -> setAbsolute(absolutePath : string) => void

    Sets the sandbox scope or relative base path to an absolute path.

    -> setRelative(relativePath : string) => void

    Sets the sandbox scope or relative base path to a relative path. Both are relative to their current values, as opposed to only the relative path.

    -> backOne() => void

    Makes the sandbox scope or relative base path go up a directory. Equivalent to setRelative("../")

    -> matchRelative()/matchSandbox() => void

    changeSandboxScope only has matchRelative(), and changeRelativeBasePath only has matchSandbox(). Sets them to be equal in a particular direction.

Updates

  • 2.0 made it an ES module but didn't add any new features. If you need to use it as an older module, just use 1.0.0.