From b6581b4a9cf9a4706b2967fceb5930a3de4d2ac7 Mon Sep 17 00:00:00 2001
From: XmiliaH <xmilia.hermit@gmail.com>
Date: Thu, 10 Feb 2022 16:01:38 +0100
Subject: [PATCH] Prepare release 3.9.7

---
 CHANGELOG.md           |  8 ++++++++
 README.md              |  3 +++
 lib/resolver-compat.js |  8 +++++++-
 package.json           |  2 +-
 test/nodevm.js         | 22 ++++++++++++++++++++++
 5 files changed, 41 insertions(+), 2 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index a24ec6c..dbe2b2d 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,11 @@
+v3.9.7 (2022-02-10)
+-------------------
+[fix] Allow relative require from base script
+[fix] Fix issue with modules with exports clause in package json
+[fix] Added missing whitelist check before custom require
+[fix] Revert plain object toString behavior
+[fix] Root path check improved
+
 v3.9.6 (2022-02-08)
 -------------------
 [fix] Security fixes (XmiliaH)  
diff --git a/README.md b/README.md
index 3625d91..d45e714 100644
--- a/README.md
+++ b/README.md
@@ -377,6 +377,9 @@ vm2 ./script.js
 ## Known Issues
 
 * It is not possible to define a class that extends a proxied class.
+* Direct eval does not work.
+* Logging sandbox arrays will repeat the array part in the properties.
+* Source code transformations can result a different source string for a function.
 
 ## Deployment
 
diff --git a/lib/resolver-compat.js b/lib/resolver-compat.js
index 7620155..86453f0 100644
--- a/lib/resolver-compat.js
+++ b/lib/resolver-compat.js
@@ -293,7 +293,13 @@ function resolverFromOptions(vm, options, override, compiler) {
 	if (rootPaths) {
 		const checkedRootPaths = (Array.isArray(rootPaths) ? rootPaths : [rootPaths]).map(f => pa.resolve(f));
 		checkPath = (filename) => {
-			return checkedRootPaths.some(path => filename.startsWith(path));
+			return checkedRootPaths.some(path => {
+				if (!filename.startsWith(path)) return false;
+				const len = path.length;
+				if (filename.length === len) return true;
+				const sep = filename[len];
+				return sep === '/' || sep === pa.sep;
+			});
 		};
 	} else {
 		checkPath = () => true;
diff --git a/package.json b/package.json
index 422416d..f5a3b30 100644
--- a/package.json
+++ b/package.json
@@ -13,7 +13,7 @@
     "alcatraz",
     "contextify"
   ],
-  "version": "3.9.6",
+  "version": "3.9.7",
   "main": "index.js",
   "sideEffects": false,
   "repository": "github:patriksimek/vm2",
diff --git a/test/nodevm.js b/test/nodevm.js
index 6a274bd..2c1e02c 100644
--- a/test/nodevm.js
+++ b/test/nodevm.js
@@ -298,6 +298,28 @@ describe('modules', () => {
 		assert.throws(() => vm.run("require('mocha')", __filename), /Cannot find module 'mocha'/);
 	});
 
+	it('root path checking', () => {
+		const vm = new NodeVM({
+			require: {
+				external: true,
+				root: `${__dirname}/node_modules/module`
+			},
+		});
+
+		assert.throws(() => vm.run("require('module2')", __filename), /Cannot find module 'module2'/);
+	});
+
+	it('relative require not allowed to enter node modules', () => {
+		const vm = new NodeVM({
+			require: {
+				external: ['mocha'],
+				root: `${__dirname}`
+			},
+		});
+
+		assert.throws(() => vm.run("require('./node_modules/module2')", __filename), /Cannot find module '\.\/node_modules\/module2'/);
+	});
+
 	it('arguments attack', () => {
 		let vm = new NodeVM;