From 350d6e8e209c20b068810ef8f41f169bb8cc3c5b Mon Sep 17 00:00:00 2001
From: Ian Kronquist <iankronquist@teleport.com>
Date: Tue, 16 Dec 2014 12:19:45 -0800
Subject: [PATCH 1/2] Add test for issue #8830

https://github.com/joyent/node/issues/8830
https://groups.google.com/forum/#!searchin/nodejs/node_modules$20security/nodejs/5BGr5dliUIk/abJEH3sPymcJ
---
 test/simple/test-module-nodemodulepaths.js | 27 ++++++++++++++++++++--
 1 file changed, 25 insertions(+), 2 deletions(-)

diff --git a/test/simple/test-module-nodemodulepaths.js b/test/simple/test-module-nodemodulepaths.js
index 3d48d99ab94b72..c98b65a42971d9 100644
--- a/test/simple/test-module-nodemodulepaths.js
+++ b/test/simple/test-module-nodemodulepaths.js
@@ -26,17 +26,40 @@ var module = require('module');
 
 var isWindows = process.platform === 'win32';
 
-var file, delimiter, paths;
+var file, delimiter, paths, expected_paths, old_home;
 
 if (isWindows) {
   file = 'C:\\Users\\Rocko Artischocko\\node_stuff\\foo';
   delimiter = '\\'
+  expected_paths = [
+    'C:\\Users\\Rocko Artischocko\\node_stuff\\foo\\node_modules',
+    'C:\\Users\\Rocko Artischocko\\node_stuff\\node_modules',
+    'C:\\Users\\Rocko Artischocko\\node_modules'
+  ];
+  old_home = process.env.USERPROFILE;
+  process.env.USERPROFILE = 'C:\\Users\\Rocko Artischocko';
 } else {
   file = '/usr/test/lib/node_modules/npm/foo';
   delimiter = '/'
+  expected_paths = [
+    '/usr/test/lib/node_modules/npm/foo/node_modules',
+    '/usr/test/lib/node_modules/npm/node_modules',
+    '/usr/test/lib/node_modules',
+    '/usr/test/node_modules'
+  ];
+  old_home = process.env.HOME;
+  process.env.HOME = '/usr/test';
 }
 
 paths = module._nodeModulePaths(file);
 
 assert.ok(paths.indexOf(file + delimiter + 'node_modules') !== -1);
-assert.ok(Array.isArray(paths));
\ No newline at end of file
+assert.deepEqual(expected_paths, paths);
+assert.ok(Array.isArray(paths));
+
+// Restore mocked home directory environment variables for other tests
+if (isWindows) {
+  process.env.USERPROFILE = old_home;
+} else {
+  process.env.HOME = old_home;
+}

From 095e605aee95aaaa72af3734d771444c50c62a2d Mon Sep 17 00:00:00 2001
From: Ian Kronquist <iankronquist@teleport.com>
Date: Tue, 16 Dec 2014 12:22:39 -0800
Subject: [PATCH 2/2] Fix node_modules directory search security risk

Fixes #8839

https://github.com/joyent/node/issues/8830
https://groups.google.com/forum/#!searchin/nodejs/node_modules$20security/nodejs/5BGr5dliUIk/abJEH3sPymcJ
---
 lib/module.js | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/lib/module.js b/lib/module.js
index 5c18d943037eef..410addf6f68771 100644
--- a/lib/module.js
+++ b/lib/module.js
@@ -212,6 +212,8 @@ Module._nodeModulePaths = function(from) {
   // to be absolute.  Doing a fully-edge-case-correct path.split
   // that works on both Windows and Posix is non-trivial.
   var splitRe = process.platform === 'win32' ? /[\/\\]/ : /\//;
+  var home_dir = process.env[
+    (process.platform == 'win32') ? 'USERPROFILE' : 'HOME'];
   var paths = [];
   var parts = from.split(splitRe);
 
@@ -220,6 +222,8 @@ Module._nodeModulePaths = function(from) {
     if (parts[tip] === 'node_modules') continue;
     var dir = parts.slice(0, tip + 1).concat('node_modules').join(path.sep);
     paths.push(dir);
+    // If we have reached the user's home directory, stop searching
+    if (parts.slice(0, tip + 1).join(path.sep) == home_dir) break;
   }
 
   return paths;