Skip to content

fix(ui): possible security issue with email file access#3534

Merged
gabrielmfern merged 2 commits into
canaryfrom
feature/dev-794-codeql-jspath-injection-in-react-email-285
May 25, 2026
Merged

fix(ui): possible security issue with email file access#3534
gabrielmfern merged 2 commits into
canaryfrom
feature/dev-794-codeql-jspath-injection-in-react-email-285

Conversation

@gabrielmfern
Copy link
Copy Markdown
Member

@gabrielmfern gabrielmfern commented May 25, 2026
edited by cubic-dev-ai Bot
Loading

Summary by cubic

Blocks path traversal in the preview server by rejecting email paths that resolve outside the configured emails directory. Addresses Linear DEV-794 and the CodeQL js/path-injection alert.

  • Bug Fixes
    • Added isPathWithinEmailsDirectory to validate paths using realpath; blocks ../ escapes, absolute paths, symlink escapes; fails closed if REACT_EMAIL_INTERNAL_EMAILS_DIR_ABSOLUTE_PATH is unset.
    • Guarded renderEmailByPath to return an error when the path is outside the emails directory.
    • Wrapped returns in getEmailPathFromSlug so only in-root files are returned; otherwise undefined.
    • Expanded tests for traversal, symlink, and env-var cases; added checks that paths outside the configured directory are rejected.

Written for commit 03bea3c. Summary will update on new commits. Review in cubic

@gabrielmfern
fix(ui): possible security issue with email file access
3722e95 
Signed-off-by: gabriel miranda <gabriel@resend.com>
@gabrielmfern gabrielmfern self-assigned this May 25, 2026
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented May 25, 2026
edited
Loading

🦋 Changeset detected

Latest commit: 03bea3c

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 3 packages
Name Type
@react-email/ui Patch
react-email Patch
@react-email/editor Patch

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

@vercel
Copy link
Copy Markdown
Contributor

vercel Bot commented May 25, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
react-email Ready Ready Preview, Comment May 25, 2026 12:35pm
react-email-demo Ready Ready Preview, Comment May 25, 2026 12:35pm

Request Review

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented May 25, 2026
edited
Loading

Open in StackBlitz

npm i https://pkg.pr.new/@react-email/ui@3534

commit: 03bea3c

@gabrielmfern
lint
03bea3c 
Signed-off-by: gabriel miranda <gabriel@resend.com>
cubic-dev-ai[bot]
cubic-dev-ai Bot reviewed May 25, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@cubic-dev-ai cubic-dev-ai Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

0 issues found across 1 file (changes from recent commits).

Requires human review: This PR implements a security guard against path traversal in file access functions, and although the implementation appears correct and includes comprehensive tests, security-sensitive changes should be reviewed by a human to ensure there are no edge cases or bypasses that could lead to...

Re-trigger cubic

@gabrielmfern gabrielmfern merged commit 86745ec into canary May 25, 2026
16 of 18 checks passed
@gabrielmfern gabrielmfern deleted the feature/dev-794-codeql-jspath-injection-in-react-email-285 branch May 25, 2026 12:35
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@cubic-dev-ai cubic-dev-ai[bot] cubic-dev-ai[bot] left review comments

@felipefreitag felipefreitag felipefreitag approved these changes

@dielduarte dielduarte Awaiting requested review from dielduarte

Assignees

@gabrielmfern gabrielmfern

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@gabrielmfern @felipefreitag