SYNC: security fixes

packages/api/src/controllers/runners.js

@@ -19,6 +19,7 @@ const {
 const { handleProcessCommunication } = require('../utility/processComm');
 const processArgs = require('../utility/processArgs');
 const platformInfo = require('../utility/platformInfo');
+const { checkSecureDirectories, checkSecureDirectoriesInScript } = require('../utility/security');
 const logger = getLogger('runners');
 
 function extractPlugins(script) {
@@ -273,6 +274,12 @@ module.exports = {
     const runid = crypto.randomUUID();
 
     if (script.type == 'json') {
+      if (!platformInfo.isElectron) {
+        if (!checkSecureDirectoriesInScript(script)) {
+          return { errorMessage: 'Unallowed directories in script' };
+        }
+      }
+
       const js = await jsonScriptToJavascript(script);
       return this.startCore(runid, scriptTemplate(js, false));
     }
@@ -317,6 +324,11 @@ module.exports = {
 
   loadReader_meta: true,
   async loadReader({ functionName, props }) {
+    if (!platformInfo.isElectron) {
+      if (props?.fileName && !checkSecureDirectories(props.fileName)) {
+        return { errorMessage: 'Unallowed file' };
+      }
+    }
     const prefix = extractShellApiPlugins(functionName)
       .map(packageName => `// @require ${packageName}\n`)
       .join('');