JS: Ensure we never write outside the scratch dir

Author: asgerf

javascript/extractor/src/com/semmle/js/extractor/AutoBuild.java

@@ -689,6 +689,19 @@ private String getChildAsString(JsonObject obj, String name) {
      return null;
   }
 
+  /**
+   * Gets a relative path from <code>from</code> to <code>to</code> provided
+   * the latter is contained in the former. Otherwise returns <code>null</code>.
+   * @return a path or null
+   */
+  public static Path tryRelativize(Path from, Path to) {
+    Path relative = from.relativize(to);      
+    if (relative.startsWith("..") || relative.isAbsolute()) {
+      return null;
+    }
+    return relative;
+  }
+
   /**
    * Installs dependencies for use by the TypeScript type checker.
    * <p>
@@ -727,6 +740,9 @@ protected DependencyInstallationResult installDependencies(Set<Path> filesToExtr
           if (!(json instanceof JsonObject)) continue;
           JsonObject jsonObject = (JsonObject) json;
           file = file.toAbsolutePath();
+          if (tryRelativize(sourceRoot, file) == null) {
+            continue; // Ignore package.json files outside the source root.
+          }
           packageJsonFiles.put(file, jsonObject);
 
           String name = getChildAsString(jsonObject, "name");