Fixed a security advisory

 GHSA-94p5-r7cc-3rpr

lib/index.test.ts

@@ -192,4 +192,8 @@ describe('sanitize() - Vulnerability Tests', () => {
     it('Protects reported vulnerability #1', () => {
         expect(linuxSlash(join('/var/app-dir', sanitize("..=%5c..=%5c..=%5c..=%5c..=%5c..=%5c..=%5cetc/passwd")))).not.toBe('/etc/passwd')
     })
+
+    it('Protects reported vulnerability #2', () => {
+        expect(linuxSlash(join('/var/app', sanitize("./../../test/../../../../../../../../../../etc/passwd")))).not.toBe('/etc/passwd')
+    })
 })

lib/index.ts

@@ -103,6 +103,20 @@ export default function sanitize(pathstr: string, options: SanitizeOptions = DEF
     // Replace double (back)slashes with a single slash
     sanitizedPath = sanitizedPath.replace(/[\/\\]+/g, '/')
 
+    // Replace /../ with /
+    sanitizedPath = sanitizedPath.replace(options.parentDirectoryRegEx, '/')
+
+    // Remove ./ or / at start
+    while (sanitizedPath.startsWith('/') || sanitizedPath.startsWith('./') || sanitizedPath.endsWith('/..') || sanitizedPath.endsWith('/../') || sanitizedPath.startsWith('../') || sanitizedPath.startsWith('/../')) {
+        sanitizedPath = sanitizedPath.replace(/^\.\//g, '') // ^./
+        sanitizedPath = sanitizedPath.replace(/^\//g, '') // ^/
+        // Remove ../ | /../ at pos 0 and /.. | /../ at end
+        sanitizedPath = sanitizedPath.replace(/^[\/\\]\.\.[\/\\]/g, '/')
+        sanitizedPath = sanitizedPath.replace(/^\.\.[\/\\]/g, '/')
+        sanitizedPath = sanitizedPath.replace(/[\/\\]\.\.$/g, '/')
+        sanitizedPath = sanitizedPath.replace(/[\/\\]\.\.\/$/g, '/')
+    }
+
     // Make sure out is not "."
     sanitizedPath = sanitizedPath.trim() === '.' ? '' : sanitizedPath