arborist: sanitize packageName in path construction for linked strategy

Add sanitizeName() to strip path traversal sequences from package names
before using them in filesystem path construction. Applied at all 9
locations where packageName is interpolated into path.join() calls.

Author: KevinZhao

workspaces/arborist/lib/arborist/isolated-reifier.js

@@ -5,6 +5,10 @@ const { depth } = require('treeverse')
 const crypto = require('node:crypto')
 const { IsolatedNode, IsolatedLink } = require('../isolated-classes.js')
 
+const sanitizeName = (name) => name
+  ? name.replace(/\.\.[/\\]/g, '_').replace(/\.\.$/, '_').replace(/^[/\\]/, '')
+  : name
+
 // generate short hash key based on the dependency tree starting at this node
 const getKey = (startNode) => {
   const deps = []
@@ -29,7 +33,7 @@ const getKey = (startNode) => {
     .replace(/\+/g, '-')
     .replace(/\//g, '_')
     .replace(/=+$/m, '')
-  return `${startNode.packageName}@${startNode.version}-${hash}`
+  return `${sanitizeName(startNode.packageName)}@${startNode.version}-${hash}`
 }
 
 module.exports = cls => class IsolatedReifier extends cls {
@@ -41,7 +45,7 @@ module.exports = cls => class IsolatedReifier extends cls {
     const newChild = new IsolatedNode({
       isInStore,
       location,
-      name: node.packageName || node.name,
+      name: sanitizeName(node.packageName) || node.name,
       optional: node.optional,
       package: pkg,
       parent: root,
@@ -135,7 +139,7 @@ module.exports = cls => class IsolatedReifier extends cls {
         node.root.path,
         'node_modules',
         '.store',
-        `${node.packageName}@${node.version}`
+        `${sanitizeName(node.packageName)}@${node.version}`
       )
       mkdirSync(dir, { recursive: true })
       // TODO this approach feels wrong and shouldn't be necessary for shrinkwraps
@@ -177,7 +181,7 @@ module.exports = cls => class IsolatedReifier extends cls {
     result.id = this.counter++
     /* istanbul ignore next - packageName is always set for real packages */
     result.name = result.isWorkspace ? (node.packageName || node.name) : node.name
-    result.packageName = node.packageName || node.name
+    result.packageName = sanitizeName(node.packageName) || node.name
     result.package = { ...node.package }
     result.package.bundleDependencies = undefined
 
@@ -313,7 +317,7 @@ module.exports = cls => class IsolatedReifier extends cls {
         return
       }
       processed.add(key)
-      const location = join('node_modules', '.store', key, 'node_modules', c.packageName)
+      const location = join('node_modules', '.store', key, 'node_modules', sanitizeName(c.packageName))
       this.#generateChild(c, location, c.package, true, root)
     })
 
@@ -346,7 +350,7 @@ module.exports = cls => class IsolatedReifier extends cls {
 
     let from, nmFolder
     if (externalEdge) {
-      const fromLocation = join('node_modules', '.store', key, 'node_modules', node.packageName)
+      const fromLocation = join('node_modules', '.store', key, 'node_modules', sanitizeName(node.packageName))
       from = root.children.get(fromLocation)
       nmFolder = join('node_modules', '.store', key, 'node_modules')
     } else {
@@ -380,7 +384,7 @@ module.exports = cls => class IsolatedReifier extends cls {
 
     let target
     if (external) {
-      const toLocation = join('node_modules', '.store', toKey, 'node_modules', dep.packageName)
+      const toLocation = join('node_modules', '.store', toKey, 'node_modules', sanitizeName(dep.packageName))
       target = root.children.get(toLocation)
     } else {
       target = root.inventory.get(dep.localLocation)
@@ -414,7 +418,7 @@ module.exports = cls => class IsolatedReifier extends cls {
       package: pkg,
       path: join(dep.root.localPath, nmFolder, dep.name),
       realpath: target.path,
-      resolved: external ? `file:.store/${toKey}/node_modules/${dep.packageName}` : dep.resolved,
+      resolved: external ? `file:.store/${toKey}/node_modules/${sanitizeName(dep.packageName)}` : dep.resolved,
       root,
       target,
     })