fix: insecure tmp path (#33)

Fixes #13

packages/cli/src/commands/local/local.run.ts

@@ -4,6 +4,7 @@ import { run as runLoad } from '@morten-olsen/mini-loader-runner';
 import { bundle } from '../../bundler/bundler.js';
 import { step } from '../../utils/step.js';
 import { readSecrets } from './local.utils.js';
+import { Config } from '../../config/config.js';
 
 const run = new Command('run');
 
@@ -12,6 +13,7 @@ run
   .argument('script')
   .action(async (script) => {
     const location = resolve(script);
+    const config = new Config();
     const { autoInstall } = run.opts();
     const secrets = await readSecrets();
 
@@ -21,6 +23,7 @@ run
     const { promise, emitter } = await runLoad({
       script: code,
       secrets,
+      cacheLocation: config.cacheLocation,
     });
     emitter.addListener('message', (message) => {
       switch (message.type) {

packages/cli/src/config/config.ts

@@ -7,12 +7,13 @@ type ConfigValues = {
   context?: string;
 };
 
+const paths = envPaths('mini-loader');
+
 class Config {
   #location: string;
   #config?: ConfigValues;
 
   constructor() {
-    const paths = envPaths('mini-loader');
     this.#location = join(paths.config, 'config.json');
     if (existsSync(this.#location)) {
       this.#config = JSON.parse(readFileSync(this.#location, 'utf-8'));
@@ -23,6 +24,10 @@ class Config {
     return this.#config?.context || 'default';
   }
 
+  public get cacheLocation() {
+    return join(paths.cache, this.context);
+  }
+
   public setContext = (context: string) => {
     this.#config = {
       ...(this.#config || {}),

packages/runner/src/index.ts

@@ -5,10 +5,11 @@ type RunOptions = {
   script: string;
   input?: Buffer | string;
   secrets?: Record<string, string>;
+  cacheLocation: string;
 };
 
-const run = async ({ script, input, secrets }: RunOptions) => {
+const run = async ({ script, input, secrets, cacheLocation }: RunOptions) => {
-  const info = await setup({ script, input, secrets });
+  const info = await setup({ script, input, secrets, cacheLocation });
 
   const worker = new Worker(info.scriptLocation, {
     stdin: false,

packages/runner/src/setup/setup.ts

@@ -1,5 +1,4 @@
 import { join } from 'path';
-import os from 'os';
 import { nanoid } from 'nanoid';
 import { chmod, mkdir, rm, writeFile } from 'fs/promises';
 import { createServer } from 'net';
@@ -9,6 +8,7 @@ type SetupOptions = {
   input?: Buffer | string;
   script: string;
   secrets?: Record<string, string>;
+  cacheLocation: string;
 };
 
 type RunEvents = {
@@ -20,7 +20,7 @@ type RunEvents = {
 const setup = async (options: SetupOptions) => {
   const { input, script, secrets } = options;
   const emitter = new EventEmitter<RunEvents>();
-  const dataDir = join(os.tmpdir(), 'mini-loader', nanoid());
+  const dataDir = join(options.cacheLocation, nanoid());
 
   await mkdir(dataDir, { recursive: true });
   await chmod(dataDir, 0o700);

packages/server/src/runner/runner.instance.ts

@@ -67,6 +67,7 @@ class RunnerInstance extends EventEmitter<RunnerInstanceEvents> {
         script,
         secrets: allSecrets,
         input,
+        cacheLocation: config.files.cache,
       });
       this.#run = current;
       const { promise, emitter } = current;