Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

refactor(@angular/ssr): use join instead of resolve #26205

Merged
merged 1 commit into from Nov 3, 2023
Merged

refactor(@angular/ssr): use join instead of resolve #26205

merged 1 commit into from Nov 3, 2023

Conversation

alan-agius4
Copy link
Collaborator

@alan-agius4 alan-agius4 commented Nov 2, 2023
edited

With this change we replace resolve with join to avoid potential path traversal vulnerability.

More context about the reasoning behind this change can be found in https://buganizer.corp.google.com/issues/299878755#comment26

//cc @securityMB, @AndrewKushnir

@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: rc This PR is targeted for the next release-candidate labels Nov 2, 2023
@alan-agius4 alan-agius4 force-pushed the ssr-path-join branch 5 times, most recently from 1795229 to 52e5dc8 Compare November 3, 2023 07:56
@alan-agius4 alan-agius4 added this to the v17 milestone Nov 3, 2023
securityMB
securityMB reviewed Nov 3, 2023
View reviewed changes
Copy link

@securityMB securityMB left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I left one comment with a nit. Otherwise, LGTM.

packages/angular/ssr/src/common-engine.ts Show resolved Hide resolved
@alan-agius4 alan-agius4 added action: merge The PR is ready for merge by the caretaker and removed action: review The PR is still awaiting reviews from at least one requested reviewer labels Nov 3, 2023
@alan-agius4
refactor(@angular/ssr): guard against potential path traversals
a5c793e 
This change updates to code to guard against a potential path traversal.

More context about the reasoning behind this change can be found in https://buganizer.corp.google.com/issues/299878755#comment26
@alan-agius4 alan-agius4 merged commit 0f5fb09 into angular:main Nov 3, 2023
32 checks passed
@alan-agius4 alan-agius4 deleted the ssr-path-join branch November 3, 2023 13:50
@angular-automatic-lock-bot
Copy link

This issue has been automatically locked due to inactivity.
Please file a new issue if you are encountering a similar or related problem.

Read more about our automatic conversation locking policy.

This action has been performed automatically by a bot.

@angular-automatic-lock-bot angular-automatic-lock-bot bot locked and limited conversation to collaborators Dec 4, 2023
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@securityMB securityMB securityMB left review comments

@clydin clydin clydin approved these changes

Assignees
No one assigned
Labels
action: merge The PR is ready for merge by the caretaker target: rc This PR is targeted for the next release-candidate
Projects
None yet
Milestone
v17
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@alan-agius4 @securityMB @clydin