Permalink
Browse files

base-compiler.js: acknowledge checkSource weakness

  • Loading branch information...
1 parent 342a87e commit f6ab7fe3737b8e7aebc63b239ba495d5640e285c @amonakov amonakov committed on GitHub Jan 11, 2017
Showing with 4 additions and 0 deletions.
  1. +4 −0 lib/base-compiler.js
@@ -237,6 +237,10 @@ Compile.prototype.checkOptions = function (options) {
return null;
};
+// This check for arbitrary user-controlled preprocessor inclusions
+// can be circumvented in more than one way. The goal here is to respond
+// to simple attempts with a clear diagnostic; the service still needs to
+// assume that malicious actors can make the compiler open arbitrary files.
Compile.prototype.checkSource = function (source) {
var re = /^\s*#\s*i(nclude|mport)(_next)?\s+["<"](\/|.*\.\.)/;
var failed = [];

0 comments on commit f6ab7fe

Please sign in to comment.