Path resolving without invalid character checking

[ZoneTwelve]

csv-database/index.js

Lines 218 to 246 in aa627ed

	function pathConstructor( filePath, data, hash ){
	// Security issues: with data or filePath include a slash, also can be resolved.
	let paths = [ ];
	for( let p of filePath.split("/") ){
	let key = p.match(/\$([a-zA-Z0-9]+)/);
	if( key ){
	// replace the p with the data
	p = p.replace( key[0], data[key[1]] );
	// create a new index file or read the index file
	let indexFile = path.join( paths.join("/"), `index-${key[1]}-${hash}` );
	let content = [ ];
	if( fs.existsSync( indexFile ) ){
	content = fs.readFileSync( indexFile, "utf8" ).split("\n");
	}
	// it's very slow
	if( content.indexOf( data[key[1]] ) === -1 )
	content.push( data[key[1]] );
	fs.writeFileSync( indexFile, content.join("\n") );
	}
	paths.push( p );
	let _path = paths.join("/");
	if( p && !fs.existsSync( _path ) ){
	fs.mkdirSync( _path );
	}
	}
	return paths.join("/");
	}

With user input including some invalid input, like: parent directory ( .. )、current directory ( . ) or Slash ( / ).
Would cause Local File Include, SSRF, or other File Path relative security issues (ex. NTR attack).