Fix node_modules directory search security risk

Fixes nodejs#8839 nodejs/node-v0.x-archive#8830 https://groups.google.com/forum/#!searchin/nodejs/node_modules$20security/nodejs/5BGr5dliUIk/abJEH3sPymcJ
iankronquist · Dec 16, 2014 · 095e605 · 095e605
1 parent 350d6e8
commit 095e605
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/lib/module.js b/lib/module.js
@@ -212,6 +212,8 @@ Module._nodeModulePaths = function(from) {
   // to be absolute.  Doing a fully-edge-case-correct path.split
   // that works on both Windows and Posix is non-trivial.
   var splitRe = process.platform === 'win32' ? /[\/\\]/ : /\//;
+  var home_dir = process.env[
+    (process.platform == 'win32') ? 'USERPROFILE' : 'HOME'];
   var paths = [];
   var parts = from.split(splitRe);
 
@@ -220,6 +222,8 @@ Module._nodeModulePaths = function(from) {
     if (parts[tip] === 'node_modules') continue;
     var dir = parts.slice(0, tip + 1).concat('node_modules').join(path.sep);
     paths.push(dir);
+    // If we have reached the user's home directory, stop searching
+    if (parts.slice(0, tip + 1).join(path.sep) == home_dir) break;
   }
 
   return paths;