Skip to content

Commit

Permalink
Build: Fix an XSS in the test server HTML serving logic
Browse files Browse the repository at this point in the history 
The test server has a rule for `/tests/unit/*/*.html` paths that serves
a proper local file. However, the parameters after `/unit/` so far accepted
many characters that have special meaning, leading to possibly reading a file
from outside of the Git repository. Fix that by only accepting alphanumeric
characters, `-` or `_`.

This should resolve one CodeQL alert.

Closes gh-2309
  • Loading branch information
@mgol
mgol authored Oct 28, 2024
1 parent af8adca commit 85bed8d
Showing 1 changed file with 1 addition and 1 deletion.
2 changes: 1 addition & 1 deletion tests/runner/createTestServer.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,7 +22,7 @@ export async function createTestServer( report ) {
} );

// Add a script tag to HTML pages to load the QUnit listeners
app.use( /\/tests\/unit\/([^/]+)\/\1\.html$/, async( req, res ) => {
app.use( /\/tests\/unit\/([a-zA-Z0-9_-]+)\/\1\.html$/, async( req, res ) => {
const html = await readFile(
`tests/unit/${ req.params[ 0 ] }/${ req.params[ 0 ] }.html`,
"utf8"
Expand Down

0 comments on commit 85bed8d

Please sign in to comment.