fix(@angular/build): assert that asset input paths are within workspace root#33222
Merged
Conversation
alan-agius4
added
the
target: patch
![gemini-code-assist[bot]](https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
There was a problem hiding this comment.
Code Review
This pull request introduces validation to ensure that asset input paths are located within the workspace root, adding a new isSubDirectory utility and corresponding checks across the application and browser builders. Feedback was provided regarding the path validation logic, specifically noting that the current use of startsWith('..') could lead to false positives for files or directories with names starting with double dots. It is recommended to refine these checks by accounting for path separators to ensure more robust path resolution.
alan-agius4
added
the
action: review
alan-agius4
force-pushed
the
asset-validation
branch
6 times, most recently
from
8430535 to
db9ee2a
Compare
…ce root Ensure that asset patterns defined as objects with an 'input' property are validated to be within the workspace root. - In '@angular/build', introduce a shared 'isSubDirectory' utility and apply it to both 'normalizeAssetPatterns' and 'resolveAssets'. - In '@angular-devkit/build-angular', apply similar validation during 'normalizeAssetPatterns'. - Add and update integration and E2E tests to prevent regressions from absolute and relative path traversal attempts.
alan-agius4
force-pushed
the
asset-validation
branch
from
db9ee2a to
439f92c
Compare
clydin
approved these changes
May 21, 2026
Comment on lines
+47
to
+50
| const normalizedParent = normalize(parent); | ||
| const resolvedChild = resolve(parent, child); | ||
|
|
||
| return resolvedChild.startsWith(normalizedParent); |
Member
There was a problem hiding this comment.
Suggested change
| const normalizedParent = normalize(parent); | |
| const resolvedChild = resolve(parent, child); | |
| return resolvedChild.startsWith(normalizedParent); | |
| const resolvedParent = resolve(parent); | |
| const resolvedChild = resolve(parent, child); | |
| const relativePath = relative(resolvedParent, resolvedChild); | |
| return !relativePath.startsWith('..') && !isAbsolute(relativePath); |
Comment on lines
+29
to
+32
| if (!isSubDirectory(root, entry.input)) { | ||
| throw new Error(`The ${entry.input} asset path must be within the workspace root.`); | ||
| } | ||
|
|
Member
There was a problem hiding this comment.
This should be moved so that it can be checked on a file-by-file basis in the loop below. A glob pattern can bypass this check.
alan-agius4
added
action: merge
Collaborator
Author
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Ensure that asset patterns defined as objects with an 'input' property are validated to be within the workspace root.