From 5cd84ae8167762bbfd19ea2cf348c0fa74081847 Mon Sep 17 00:00:00 2001
From: Thomas Hobson <git@hexf.me>
Date: Thu, 22 Jul 2021 14:58:41 +1200
Subject: [PATCH] api: allow paths when writing files (#302)

---
 api/src/job.js | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

diff --git a/api/src/job.js b/api/src/job.js
index d4b90ea..bb78448 100644
--- a/api/src/job.js
+++ b/api/src/job.js
@@ -59,6 +59,13 @@ class Job {
 
         for (const file of this.files) {
             let file_path = path.join(this.dir, file.name);
+            const rel = path.relative(this.dir, file_path);
+
+            if(rel.startsWith(".."))
+                throw Error(`File path "${file.name}" tries to escape parent directory: ${rel}`)
+
+            await fs.mkdir(path.dirname(file_path), {recursive: true,  mode: 0o700})
+            await fs.chown(path.dirname(file_path), this.uid, this.gid);
 
             await fs.write_file(file_path, file.content);
             await fs.chown(file_path, this.uid, this.gid);
@@ -139,7 +146,7 @@ class Job {
             proc.on('exit', (code, signal) => {
                 exit_cleanup();
 
-                resolve({ stdout, stderr, code, signal, output });
+                resolve({stdout, stderr, code, signal, output });
             });
 
             proc.on('error', err => {