Security: Unsafe File Write with User-Controlled Path

[tomaioo]

Summary

Security: Unsafe File Write with User-Controlled Path

Problem

Severity: High | File: packages/react-docgen-cli/src/commands/parse/output/outputResult.ts:L8

The outputResult function writes to a file path specified by the output option without any validation. If an attacker can control the output parameter (e.g., via CLI --output flag), they could write files to arbitrary locations on the filesystem, potentially overwriting critical files or achieving remote code execution by overwriting executable files.

Solution

Validate and sanitize the output path to ensure it resolves within an expected output directory. Use path.resolve() and check that the resolved path starts with the allowed base directory. Consider using fs.realpath() to resolve symlinks before validation.

Changes

• packages/react-docgen-cli/src/commands/parse/output/outputResult.ts (modified)

[changeset-bot]

⚠️ No Changeset found

Latest commit: d6029f5

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[netlify]

✅ Deploy Preview for react-docgen canceled.

Name	Link
🔨 Latest commit	d6029f5
🔍 Latest deploy log	https://app.netlify.com/projects/react-docgen/deploys/6a1394cbc61ac2000750a70c

[danez]

--out is intentionally user-controlled CLI output, analogous to many tools that accept an output filename and overwrite it. react-docgen does not claim to sandbox writes or execute with elevated privileges. Callers that expose this CLI through a service or privileged wrapper must validate paths at that integration boundary. We do not plan to restrict --out to a base directory because that would break legitimate CLI usage.

We added a documentation note for --out/-o in 2276f2d to make the trust boundary explicit. The docs now state that the output path is used as provided, that an existing file may be overwritten, and that callers should only pass trusted paths to this option. This preserves the intended CLI behavior while warning integrators not to expose the option directly to untrusted input without their own validation.