Skip to content

fix uncontrolled data used in path expression loader-transform #1519

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
wants to merge 1 commit into
base: main
Choose a base branch
from

Conversation

odaysec
Copy link

@odaysec odaysec commented Jun 27, 2025

file = (await fs.promises.readFile(loaderFilePath)).toString()

const loader = request.query.loader || testServer.config.loader
return path.join(
webpath ? '/build/' : paths.builtAssetsDir,
`nr-loader-${loader}.min.js`
)

Accessing files using paths constructed from user-controlled data can allow an attacker to access unexpected resources. This can result in sensitive information being revealed or deleted, or an attacker being able to influence behavior by modifying unexpected files.

Fix the loader-transform:feat need to validate and sanitize the loader value before using it to construct the file path. Since the loader value is used to determine a specific file name, we can use an allowlist approach to restrict it to a predefined set of valid loader names. This ensures that only expected and safe file paths are constructed.

  1. Define an allowlist of valid loader names (e.g., ['default', 'custom']).
  2. Validate the loader value against this allowlist in the getLoaderFilePath function.
  3. If the loader value is invalid, throw an error or use a default value.

References

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants