resolved semgrep issues, version bump

Author: cs-raj

.gitignore

@@ -1,2 +1 @@
 node_modules
-package-lock.json

lib/helper.js

@@ -16,6 +16,7 @@ var prompt = require('prompt');
 var ncp = require('ncp').ncp;
 var mkdirp = require('mkdirp');
 var chalk = require('chalk');
+const sanitizePath = require('./Utility');
 var log = console.log;
 var success = chalk.green;
 var error = chalk.red;
@@ -119,7 +120,7 @@ exports.confirm = function(config, lang, backup, callback) {
 exports.createBackupDir = function(storagePath, lang, callback) {
   log(info('Creating backup...'));
   var d = new Date();
-  ncp(path.join(storagePath, lang), path.join(storagePath, lang, '..', `${d.getTime()}_${lang}_backup`), function(err) {
+  ncp(path.join(sanitizePath(storagePath), sanitizePath(lang)), path.join(sanitizePath(storagePath), sanitizePath(lang), '..', `${d.getTime()}_${sanitizePath(lang)}_backup`), function(err) {
     if (err) {
       log(error(
         `Failed to create backup, due to the following error\n${err.message || err}`

lib/plugin.js

@@ -20,18 +20,19 @@ var error = chalk.red;
 var info = chalk.cyan;
 
 var helper = require('./helper');
+const sanitizePath = require('./utility');
 
 /**
  * Create contentstack-express framework plugin
  */
 var Plugin = function(name) {
   try {
-    var dir = path.join(process.cwd(), 'plugins');
+    var dir = path.join(sanitizePath(process.cwd()), 'plugins');
     var match = (name && typeof name == 'string') ? name.match(/^[a-zA-Z0-9\-_]+$/g) : null;
     if (match && match.length) {
       name = name.trim().toLowerCase();
       if (fs.existsSync(dir)) {
-        var _path = path.join(dir, name);
+        var _path = path.join(sanitizePath(dir), sanitizePath(name));
         log(info(`Creating Contentstack plugin at ${_path}`));
         prompt.message = '';
         prompt.delimiter = '>';

lib/utility.js

@@ -0,0 +1,5 @@
+const sanitizePath = function (str) {
+  return str?.replace(/^(\.\.(\/|\\|$))+/, "");
+};
+
+module.exports = sanitizePath