Widen turbopack chunk filename allowlist (defensive)

[gilluminate]

Ticket [no-ticket]

Description Of Changes

Follow-up to #8005. The allowlist regex introduced there matched only a single alphanumeric extension after the .., so chunks like 0~9kfdw7..yey.js, 0te-shorr2._..js, and abc-123..part.min.js still tripped sanitise_url_path and got routed through the admin UI index fallback.

admin-ui has since been reverted to next build --webpack, so this regex isn't currently fixing a live bug — webpack-built chunks don't contain .. in the first place. But keeping the allowlist in shape is cheap defensive insurance for the eventual turbopack migration (once the upstream Next.js static-export issues settle down), and it plugs a gap in what #8005 claimed to cover.

Widen the trailing character class to allow word chars, dots, tildes, and hyphens on both sides of the ... The first character is still constrained to a non-dot, which keeps .., ..., ...., ..foo, foo.., and overlong-UTF-8 variants (e.g. ..\xc0) out of the allowlist and subject to the existing substring guard.

Code Changes

• src/fides/api/main.py — widen TURBOPACK_CHUNK_RE from ^[\w~-]+\.\.[a-z]+$ to ^[\w~-][\w~.-]*\.\.[\w~.-]+$
• tests/ops/util/test_api_router.py — add turbopack cases with dotted segments on either side of the ..

Steps to Confirm

1. pytest tests/ops/util/test_api_router.py::TestApiRouter::test_sanitise_url_path — all cases pass (existing malicious rejections preserved, new turbopack cases accepted).
2. Manual spot check: python -c "from fides.api.main import sanitise_url_path, MalisciousUrlException; [sanitise_url_path(p) for p in ['/_next/static/chunks/0y3j4e~tvxaz..js', '/_next/static/chunks/0~9kfdw7..yey.js', '/_next/static/chunks/0te-shorr2._..js', '/_next/static/chunks/abc-123..part.min.js']]" returns without raising.

Pre-Merge Checklist

• Issue requirements met
• All CI pipelines succeeded
• CHANGELOG.md updated
  • Add a db-migration This indicates that a change includes a database migration label to the entry if your change includes a DB migration
  • Add a high-risk This issue suggests changes that have a high-probability of breaking existing code label to the entry if your change includes a high-risk change (i.e. potential for performance impact or unexpected regression) that should be flagged
  • Updates unreleased work already in Changelog, no new entry necessary
• UX feedback:
  • All UX related changes have been reviewed by a designer
  • No UX review needed
• Followup issues:
  • Followup issues created — root-cause turbopack's missing _clientMiddlewareManifest.js in CI before the eventual turbopack migration
  • No followup issues
• Database migrations:
  • Ensure that your downrev is up to date with the latest revision on main
  • Ensure that your downgrade() migration is correct and works
    • If a downgrade migration is not possible for this change, please call this out in the PR description!
  • No migrations
• Documentation:
  • Documentation complete, PR opened in fidesdocs
  • Documentation issue created in fidesdocs
  • If there are any new client scopes created as part of the pull request, remember to update public-facing documentation that references our scope registry
  • No documentation updates required

[vercel]

The latest updates on your projects. Learn more about Vercel for GitHub.

2 Skipped Deployments

Project	Deployment	Actions	Updated (UTC)
fides-plus-nightly	Ignored	Preview	Apr 23, 2026 7:15pm
fides-privacy-center	Ignored		Apr 23, 2026 7:15pm

[github-actions]

Title	Lines	Statements	Branches	Functions
admin-ui		6.33% (2799/44163)	5.58% (1402/25082)	4.43% (579/13060)
fides-js		78.98% (1962/2484)	65.55% (1214/1852)	72.57% (336/463)
privacy-center		85.97% (331/385)	81.36% (179/220)	78.87% (56/71)

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 84.96%. Comparing base (4d36209) to head (12e518e).
⚠️ Report is 3 commits behind head on main.

❌ Your project status has failed because the head coverage (84.96%) is below the target coverage (85.00%). You can increase the head coverage or adjust the target coverage.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #8018      +/-   ##
==========================================
- Coverage   84.97%   84.96%   -0.01%     
==========================================
  Files         631      631              
  Lines       41239    41239              
  Branches     4787     4787              
==========================================
- Hits        35041    35038       -3     
- Misses       5113     5114       +1     
- Partials     1085     1087       +2     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[gilluminate]

will address differently after more thorough research