Harden options to prevent path traversal when passed untrusted input

sindresorhus · sindresorhus · commit 85acab95babc · 2026-01-21T08:32:49.000+07:00
This is not fixing any vulnerability since these options are not meant to accept untrusted input.
diff --git a/index.js b/index.js
@@ -9,7 +9,8 @@ import {isStream} from 'is-stream';
 
 const pipeline = promisify(stream.pipeline); // TODO: Use `node:stream/promises` when targeting Node.js 16.
 
-const getPath = (prefix = '') => path.join(tempDir, prefix + uniqueString());
+// Use `path.basename()` to prevent path traversal.
+const getPath = (prefix = '') => path.join(tempDir, path.basename(prefix) + uniqueString());
 
 const writeStream = async (filePath, data) => pipeline(data, fs.createWriteStream(filePath));
 
@@ -27,10 +28,12 @@ export function temporaryFile({name, extension} = {}) {
 			throw new Error('The `name` and `extension` options are mutually exclusive');
 		}
 
-		return path.join(temporaryDirectory(), name);
+		// Use `path.basename()` to prevent path traversal.
+		return path.join(temporaryDirectory(), path.basename(name));
 	}
 
-	return getPath() + (extension === undefined || extension === null ? '' : '.' + extension.replace(/^\./, ''));
+	// Use `path.basename()` to prevent path traversal.
+	return getPath() + (extension === undefined || extension === null ? '' : '.' + path.basename(extension).replace(/^\./, ''));
 }
 
 export const temporaryFileTask = async (callback, options) => runTask(temporaryFile(options), callback);
diff --git a/test.js b/test.js
@@ -140,3 +140,9 @@ test('.root', t => {
 	t.true(rootTemporaryDirectory.length > 0);
 	t.true(path.isAbsolute(rootTemporaryDirectory));
 });
+
+test('path traversal prevention', t => {
+	t.true(temporaryFile({name: '../../../test'}).includes(tempDir));
+	t.true(temporaryFile({extension: '../../../test'}).includes(tempDir));
+	t.true(temporaryDirectory({prefix: '../../../test'}).includes(tempDir));
+});

Original file line number	Diff line number	Diff line change
`@@ -9,7 +9,8 @@ import {isStream} from 'is-stream';`
`9`	`9`
`10`	`10`	const pipeline = promisify(stream.pipeline); // TODO: Use `node:stream/promises` when targeting Node.js 16.
`11`	`11`
`12`		`-const getPath = (prefix = '') => path.join(tempDir, prefix + uniqueString());`
	`12`	+// Use `path.basename()` to prevent path traversal.
	`13`	`+const getPath = (prefix = '') => path.join(tempDir, path.basename(prefix) + uniqueString());`
`13`	`14`
`14`	`15`	`const writeStream = async (filePath, data) => pipeline(data, fs.createWriteStream(filePath));`
`15`	`16`
`@@ -27,10 +28,12 @@ export function temporaryFile({name, extension} = {}) {`
`27`	`28`	throw new Error('The `name` and `extension` options are mutually exclusive');
`28`	`29`	`}`
`29`	`30`
`30`		`- return path.join(temporaryDirectory(), name);`
	`31`	+ // Use `path.basename()` to prevent path traversal.
	`32`	`+ return path.join(temporaryDirectory(), path.basename(name));`
`31`	`33`	`}`
`32`	`34`
`33`		`- return getPath() + (extension === undefined \|\| extension === null ? '' : '.' + extension.replace(/^\./, ''));`
	`35`	+ // Use `path.basename()` to prevent path traversal.
	`36`	`+ return getPath() + (extension === undefined \|\| extension === null ? '' : '.' + path.basename(extension).replace(/^\./, ''));`
`34`	`37`	`}`
`35`	`38`
`36`	`39`	`export const temporaryFileTask = async (callback, options) => runTask(temporaryFile(options), callback);`