nwutils/nw-builder

app.name may not be filesafe

Black-Platypus opened this issue · 2 comments

Issue Type

  • Bug Report
  • Feature Request
  • Other

Current/Missing Behaviour

When using an app name that includes illegal characters for filenames, renaming nw.exe (etc) may fail or lead to unintended behavior (also maybe path traversal?)

Expected/Proposed Behaviour

The executable is renamed taking the above into account

Additional Info

  • Package version: 4.11.3
  • Operating System: Windows 10 x64
  • Node version: v20.9.0, 22.7.0
  • NW.js version: 0.92.0

Depending on whether the final executable path needs to be known after it was created or not, I think there should be a remedy either in the parsing stage or the renaming stage.
I would encourage getting everything prepared ahead of taking any action, so I'd like to suggest ideally having a theoretical stage where everything is prepared, or at least making sure the app.name is file safe in the parsing stage, to minimize issues arising from potential differences between app.name and the resulting executable name.

PRs:
Parsing stage: #1259
Renaming stage (windows): #1260

@Black-Platypus Thanks for the PRs, I'll try to review them over next couple days