Guard CLI bundle upload against oversized and out-of-app paths

Author: isaacroldan

.changeset/guard-bundle-upload-size-and-paths.md

@@ -0,0 +1,5 @@
+---
+'@shopify/app': patch
+---
+
+Guard app bundle uploads against oversized bundles and asset paths resolving outside the app directory

packages/app/src/cli/services/build/steps/include-assets-step.test.ts

@@ -25,7 +25,7 @@ describe('executeIncludeAssetsStep', () => {
       options: {
         stdout: mockStdout,
         stderr: mockStderr,
-        app: {} as any,
+        app: {directory: '/test'} as any,
         environment: 'production',
       },
       stepResults: new Map(),

packages/app/src/cli/services/build/steps/include-assets-step.ts

@@ -125,6 +125,7 @@ export async function executeIncludeAssetsStep(
   const config = IncludeAssetsConfigSchema.parse(step.config)
   const {extension, options} = context
   const outputDir = resolveOutputDir(extension.outputPath)
+  const appDirectory = options.app.directory
 
   const aggregatedPathMap = new Map<string, string | string[]>()
   // Track basenames written across all configKey entries in this build. In
@@ -147,6 +148,7 @@ export async function executeIncludeAssetsStep(
       baseDir: extension.directory,
       outputDir,
       context,
+      appDirectory,
       destination: sanitizedDest,
       usedBasenames,
       preserveFilePaths: entry.preserveFilePaths,
@@ -172,6 +174,8 @@ export async function executeIncludeAssetsStep(
               outputDir: destinationDir,
               patterns: entry.include,
               ignore: entry.ignore ?? [],
+              appDirectory,
+              sourceDirConfigValue: entry.baseDir ?? '.',
             },
             options,
           )
@@ -189,6 +193,7 @@ export async function executeIncludeAssetsStep(
               destination: sanitizedDest,
               baseDir: extension.directory,
               outputDir,
+              appDirectory,
             },
             options,
           )

packages/app/src/cli/services/build/steps/include-assets/assert-path-within-app.test.ts

@@ -0,0 +1,30 @@
+import {assertPathWithinAppDir} from './assert-path-within-app.js'
+import {AbortError} from '@shopify/cli-kit/node/error'
+import {describe, expect, test} from 'vitest'
+
+describe('assertPathWithinAppDir', () => {
+  test('allows a path inside the app directory', () => {
+    expect(() =>
+      assertPathWithinAppDir('/app/extensions/ext-a/icon.png', '/app', 'extensions/ext-a/icon.png'),
+    ).not.toThrow()
+  })
+
+  test('allows the app directory itself', () => {
+    expect(() => assertPathWithinAppDir('/app', '/app', '.')).not.toThrow()
+  })
+
+  test('rejects a relative path that escapes the app directory via ..', () => {
+    expect(() => assertPathWithinAppDir('/other/secret.env', '/app', '../other/secret.env')).toThrow(AbortError)
+    expect(() => assertPathWithinAppDir('/other/secret.env', '/app', '../other/secret.env')).toThrow(
+      /resolves outside the app directory/,
+    )
+  })
+
+  test('rejects an absolute path that points outside the app directory', () => {
+    expect(() => assertPathWithinAppDir('/Users/me', '/app', '/Users/me')).toThrow(AbortError)
+  })
+
+  test('includes the original config value in the error message for debuggability', () => {
+    expect(() => assertPathWithinAppDir('/other', '/app', '~/anywhere')).toThrow(/Asset path '~\/anywhere'/)
+  })
+})

packages/app/src/cli/services/build/steps/include-assets/assert-path-within-app.ts

@@ -0,0 +1,23 @@
+import {relativePath, isAbsolutePath} from '@shopify/cli-kit/node/path'
+import {AbortError} from '@shopify/cli-kit/node/error'
+
+/**
+ * Throws if `resolvedPath` is not inside `appDirectory`.
+ *
+ * Guards against accidental misuse where an extension config points an asset
+ * source outside the app folder (e.g. `source = "../../"` or an absolute home
+ * directory path). Adversarial bypass via symlinks is out of scope — server-side
+ * size enforcement is the real boundary; this check is a fast-fail for DX.
+ *
+ * `configValue` is the raw value from configuration used in the error message
+ * so the user can locate the offending entry.
+ */
+export function assertPathWithinAppDir(resolvedPath: string, appDirectory: string, configValue: string): void {
+  const relative = relativePath(appDirectory, resolvedPath)
+  if (relative.startsWith('..') || isAbsolutePath(relative)) {
+    throw new AbortError(
+      `Asset path '${configValue}' resolves outside the app directory.`,
+      `Asset sources must be inside the app folder. Resolved to: ${resolvedPath}`,
+    )
+  }
+}

packages/app/src/cli/services/build/steps/include-assets/copy-by-pattern.test.ts

@@ -24,6 +24,8 @@ describe('copyByPattern', () => {
         outputDir: '/out',
         patterns: ['**/*.ts', '**/*.tsx'],
         ignore: [],
+        appDirectory: '/src',
+        sourceDirConfigValue: '.',
       },
       {stdout: mockStdout},
     )
@@ -47,6 +49,8 @@ describe('copyByPattern', () => {
         outputDir: '/out',
         patterns: ['**/*.png'],
         ignore: [],
+        appDirectory: '/src',
+        sourceDirConfigValue: '.',
       },
       {stdout: mockStdout},
     )
@@ -72,6 +76,8 @@ describe('copyByPattern', () => {
         outputDir: '/out/sub',
         patterns: ['**/*'],
         ignore: [],
+        appDirectory: '/out',
+        sourceDirConfigValue: 'sub',
       },
       {stdout: mockStdout},
     )
@@ -96,6 +102,8 @@ describe('copyByPattern', () => {
         outputDir: '/out',
         patterns: ['*.png'],
         ignore: [],
+        appDirectory: '/out',
+        sourceDirConfigValue: '.',
       },
       {stdout: mockStdout},
     )
@@ -120,6 +128,8 @@ describe('copyByPattern', () => {
         outputDir: '/out/dist',
         patterns: ['*.js'],
         ignore: [],
+        appDirectory: '/src',
+        sourceDirConfigValue: '.',
       },
       {stdout: mockStdout},
     )
@@ -139,6 +149,8 @@ describe('copyByPattern', () => {
         outputDir: '/out',
         patterns: ['**/*'],
         ignore: ['**/*.test.ts', 'node_modules/**'],
+        appDirectory: '/src',
+        sourceDirConfigValue: '.',
       },
       {stdout: mockStdout},
     )

packages/app/src/cli/services/build/steps/include-assets/copy-by-pattern.ts

@@ -1,3 +1,4 @@
+import {assertPathWithinAppDir} from './assert-path-within-app.js'
 import {joinPath, dirname, relativePath} from '@shopify/cli-kit/node/path'
 import {glob, copyFile, mkdir} from '@shopify/cli-kit/node/fs'
 
@@ -10,10 +11,13 @@ export async function copyByPattern(
     outputDir: string
     patterns: string[]
     ignore: string[]
+    appDirectory: string
+    sourceDirConfigValue: string
   },
   options: {stdout: NodeJS.WritableStream},
 ): Promise<{filesCopied: number; outputPaths: string[]}> {
-  const {sourceDir, outputDir, patterns, ignore} = config
+  const {sourceDir, outputDir, patterns, ignore, appDirectory, sourceDirConfigValue} = config
+  assertPathWithinAppDir(sourceDir, appDirectory, sourceDirConfigValue)
   const files = await glob(patterns, {
     absolute: true,
     cwd: sourceDir,

packages/app/src/cli/services/build/steps/include-assets/copy-config-key-entry.test.ts

@@ -28,7 +28,13 @@ describe('copyConfigKeyEntry', () => {
       await mkdir(outDir)
 
       const context = makeContext({static_root: 'public'}, mockStdout)
-      const result = await copyConfigKeyEntry({key: 'static_root', baseDir: tmpDir, outputDir: outDir, context})
+      const result = await copyConfigKeyEntry({
+        key: 'static_root',
+        baseDir: tmpDir,
+        outputDir: outDir,
+        context,
+        appDirectory: tmpDir,
+      })
 
       expect(result.filesCopied).toBe(2)
       await expect(fileExists(joinPath(outDir, 'index.html'))).resolves.toBe(true)
@@ -48,7 +54,13 @@ describe('copyConfigKeyEntry', () => {
       await mkdir(outDir)
 
       const context = makeContext({schema_path: 'src/schema.json'}, mockStdout)
-      const result = await copyConfigKeyEntry({key: 'schema_path', baseDir: tmpDir, outputDir: outDir, context})
+      const result = await copyConfigKeyEntry({
+        key: 'schema_path',
+        baseDir: tmpDir,
+        outputDir: outDir,
+        context,
+        appDirectory: tmpDir,
+      })
 
       expect(result.filesCopied).toBe(1)
       await expect(fileExists(joinPath(outDir, 'schema.json'))).resolves.toBe(true)
@@ -72,7 +84,13 @@ describe('copyConfigKeyEntry', () => {
       await mkdir(outDir)
 
       const context = makeContext({files: ['a/schema.json', 'b/schema.json']}, mockStdout)
-      const result = await copyConfigKeyEntry({key: 'files', baseDir: tmpDir, outputDir: outDir, context})
+      const result = await copyConfigKeyEntry({
+        key: 'files',
+        baseDir: tmpDir,
+        outputDir: outDir,
+        context,
+        appDirectory: tmpDir,
+      })
 
       expect(result.filesCopied).toBe(2)
       // Both have basename schema.json — second one gets renamed
@@ -87,7 +105,13 @@ describe('copyConfigKeyEntry', () => {
       await mkdir(outDir)
 
       const context = makeContext({}, mockStdout)
-      const result = await copyConfigKeyEntry({key: 'static_root', baseDir: tmpDir, outputDir: outDir, context})
+      const result = await copyConfigKeyEntry({
+        key: 'static_root',
+        baseDir: tmpDir,
+        outputDir: outDir,
+        context,
+        appDirectory: tmpDir,
+      })
 
       expect(result.filesCopied).toBe(0)
       expect(result.pathMap.size).toBe(0)
@@ -101,7 +125,7 @@ describe('copyConfigKeyEntry', () => {
 
       const context = makeContext({assets_dir: 'nonexistent'}, mockStdout)
       await expect(
-        copyConfigKeyEntry({key: 'assets_dir', baseDir: tmpDir, outputDir: outDir, context}),
+        copyConfigKeyEntry({key: 'assets_dir', baseDir: tmpDir, outputDir: outDir, context, appDirectory: tmpDir}),
       ).rejects.toThrow(`Couldn't find`)
     })
   })
@@ -121,7 +145,13 @@ describe('copyConfigKeyEntry', () => {
       await mkdir(outDir)
 
       const context = makeContext({roots: ['public', 'assets']}, mockStdout)
-      const result = await copyConfigKeyEntry({key: 'roots', baseDir: tmpDir, outputDir: outDir, context})
+      const result = await copyConfigKeyEntry({
+        key: 'roots',
+        baseDir: tmpDir,
+        outputDir: outDir,
+        context,
+        appDirectory: tmpDir,
+      })
 
       // Promise.all runs copies sequentially; glob on the shared outDir may see files
       // from the other copy, so the total count is at least 3 (one per real file).
@@ -147,6 +177,7 @@ describe('copyConfigKeyEntry', () => {
         baseDir: tmpDir,
         outputDir: outDir,
         context,
+        appDirectory: tmpDir,
         destination: 'static/icons',
       })
 
@@ -174,6 +205,7 @@ describe('copyConfigKeyEntry', () => {
         baseDir: tmpDir,
         outputDir: outDir,
         context,
+        appDirectory: tmpDir,
       })
 
       expect(result.filesCopied).toBe(3)
@@ -200,6 +232,7 @@ describe('copyConfigKeyEntry', () => {
         baseDir: tmpDir,
         outputDir: outDir,
         context,
+        appDirectory: tmpDir,
       })
 
       expect(result.filesCopied).toBe(0)
@@ -227,6 +260,7 @@ describe('copyConfigKeyEntry', () => {
           baseDir: tmpDir,
           outputDir: outDir,
           context: contextA,
+          appDirectory: tmpDir,
           usedBasenames,
           preserveFilePaths: true,
         })
@@ -237,6 +271,7 @@ describe('copyConfigKeyEntry', () => {
           baseDir: tmpDir,
           outputDir: outDir,
           context: contextB,
+          appDirectory: tmpDir,
           usedBasenames,
           preserveFilePaths: true,
         })
@@ -263,6 +298,7 @@ describe('copyConfigKeyEntry', () => {
           baseDir: tmpDir,
           outputDir: outDir,
           context,
+          appDirectory: tmpDir,
           preserveFilePaths: true,
         })
         await expect(promise).rejects.toThrow(AbortError)
@@ -285,6 +321,7 @@ describe('copyConfigKeyEntry', () => {
           baseDir: tmpDir,
           outputDir: outDir,
           context,
+          appDirectory: tmpDir,
           preserveFilePaths: true,
         })
 
@@ -310,6 +347,7 @@ describe('copyConfigKeyEntry', () => {
         baseDir: tmpDir,
         outputDir: outDir,
         context,
+        appDirectory: tmpDir,
       })
 
       expect(result.filesCopied).toBe(1)

packages/app/src/cli/services/build/steps/include-assets/copy-config-key-entry.ts

@@ -1,3 +1,4 @@
+import {assertPathWithinAppDir} from './assert-path-within-app.js'
 import {joinPath, basename, relativePath, extname} from '@shopify/cli-kit/node/path'
 import {glob, copyFile, copyDirectoryContents, fileExists, mkdir, isDirectory} from '@shopify/cli-kit/node/fs'
 import {outputContent, outputDebug, outputToken} from '@shopify/cli-kit/node/output'
@@ -24,6 +25,7 @@ export async function copyConfigKeyEntry(config: {
   baseDir: string
   outputDir: string
   context: BuildContext
+  appDirectory: string
   destination?: string
   usedBasenames?: Set<string>
   preserveFilePaths?: boolean
@@ -33,6 +35,7 @@ export async function copyConfigKeyEntry(config: {
     baseDir,
     outputDir,
     context,
+    appDirectory,
     destination,
     usedBasenames = new Set<string>(),
     preserveFilePaths = false,
@@ -66,6 +69,7 @@ export async function copyConfigKeyEntry(config: {
   /* eslint-disable no-await-in-loop */
   for (const sourcePath of uniquePaths) {
     const fullPath = joinPath(baseDir, sourcePath)
+    assertPathWithinAppDir(fullPath, appDirectory, sourcePath)
     const exists = await fileExists(fullPath)
     if (!exists) {
       throw new Error(