Initial commit: Upload Checkpoint project

utils/plugins.js

@@ -0,0 +1,28 @@
+import { resolve, extname, sep, isAbsolute } from 'path';
+import { pathToFileURL } from 'url';
+import { rootDir } from '../index.js';
+
+/**
+ * Securely import a JavaScript module from within the application root.
+ * Prevents path traversal and disallows non-.js extensions.
+ *
+ * @param {string} relPath - The relative path to the module from the application root.
+ * @returns {Promise<any>} The imported module.
+ */
+export async function secureImportModule(relPath) {
+  if (isAbsolute(relPath)) {
+    throw new Error('Absolute paths are not allowed for module imports');
+  }
+  if (relPath.includes('..')) {
+    throw new Error('Relative paths containing .. are not allowed for module imports');
+  }
+  if (extname(relPath) !== '.js') {
+    throw new Error(`Only .js files can be imported: ${relPath}`);
+  }
+  const absPath = resolve(rootDir, relPath);
+  if (!absPath.startsWith(rootDir + sep)) {
+    throw new Error(`Module path outside of application root: ${relPath}`);
+  }
+  const url = pathToFileURL(absPath).href;
+  return import(url);
+}