From 4574e9baabf090d254b264dc6e0b5a47a16c677d Mon Sep 17 00:00:00 2001
From: hbkhan <hbkhan@github.com>
Date: Sat, 20 Jun 2020 08:45:07 -0500
Subject: [PATCH] Fix Arbitrary File Read

---
 index.js | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/index.js b/index.js
index 2e719db..e32f766 100644
--- a/index.js
+++ b/index.js
@@ -2,7 +2,8 @@ var util = require('util')
   , fs = require('fs')
   , spawn = require('./spawn')
   , errors = require('./errors')
-  , cwd = process.cwd();
+  , cwd = process.cwd()
+  , path = require('path');
 
 /**
  * Make some curl opts friendlier.
@@ -236,7 +237,13 @@ exports.request = function (options, callback) {
 
     if (options.file) {
         cmd = 'cat';
-        args = [options.file];
+        var rootDirectory = path.resolve(cwd, './');
+        var filename = path.join(rootDirectory, options.file);
+        if (filename.indexOf(rootDirectory) !== 0) {
+            // trying to sneak out of the root directory?
+            return
+        }
+        args = [filename];
     }
 
     //Simulate the spawn?