Skip to content

Commit

Permalink
Build: Fix an XSS in the test server HTML serving logic
Browse files Browse the repository at this point in the history 
The test server has a rule for `/tests/unit/*/*.html` paths that serves
a proper local file. However, the parameters after `/unit/` were so far not
escaped, leading to possibly reading a file from outside of the Git repository.
Fix that by replacing non-alphanumeric characters that are also not `-` or `_`.

This should resolve one CodeQL alert.
  • Loading branch information
@mgol
mgol committed Oct 25, 2024
1 parent 49bb397 commit fba692e
Showing 1 changed file with 2 additions and 1 deletion.
3 changes: 2 additions & 1 deletion tests/runner/createTestServer.js
View file
Original file line number Diff line number Diff line change
Expand Up @@ -23,8 +23,9 @@ export async function createTestServer( report ) {

// Add a script tag to HTML pages to load the QUnit listeners
app.use( /\/tests\/unit\/([^/]+)\/\1\.html$/, async( req, res ) => {
const moduleEscaped = req.params[ 0 ].replace( /[^a-z0-9_-]/gi, "" );
const html = await readFile(
`tests/unit/${ req.params[ 0 ] }/${ req.params[ 0 ] }.html`,
`tests/unit/${ moduleEscaped }/${ moduleEscaped }.html`,

Check failure

Code scanning / CodeQL

Uncontrolled data used in path expression High test

This path depends on a
user-provided value
Loading
.
"utf8"
);
res.send(
Expand Down

0 comments on commit fba692e

Please # to comment.