From d6029f5aa821ce9cf0ca95ae50bd09dfd02e23d8 Mon Sep 17 00:00:00 2001
From: tomaioo <hongsaygio.com@gmail.com>
Date: Sun, 24 May 2026 17:16:08 -0700
Subject: [PATCH] fix(react-docgen-cli): unsafe file write with user-controlled
 path

The `outputResult` function writes to a file path specified by the `output` option without any validation. If an attacker can control the `output` parameter (e.g., via CLI `--output` flag), they could write files to arbitrary locations on the filesystem, potentially overwriting critical files or achieving remote code execution by overwriting executable files.

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
---
 .../src/commands/parse/output/outputResult.ts             | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/packages/react-docgen-cli/src/commands/parse/output/outputResult.ts b/packages/react-docgen-cli/src/commands/parse/output/outputResult.ts
index 7b04191f972..7339372147e 100644
--- a/packages/react-docgen-cli/src/commands/parse/output/outputResult.ts
+++ b/packages/react-docgen-cli/src/commands/parse/output/outputResult.ts
@@ -1,4 +1,5 @@
 import { writeFile } from 'fs/promises';
+import { resolve } from 'path';
 import type { Documentation } from 'react-docgen';
 
 export default async function outputResult(
@@ -12,7 +13,12 @@ export default async function outputResult(
   );
 
   if (output) {
-    await writeFile(output, result, 'utf-8');
+    const resolvedOutput = resolve(output);
+    const cwd = resolve('.');
+    if (!resolvedOutput.startsWith(cwd)) {
+      throw new Error('Output path must be within the current working directory');
+    }
+    await writeFile(resolvedOutput, result, 'utf-8');
   } else {
     process.stdout.write(result + '\n');
   }