fix(@angular/build): assert that asset input paths are within workspace root

alan-agius4 · alan-agius4 · commit b45e3e4f030e · 2026-05-20T12:06:19.000Z
Ensure that asset patterns defined as objects with an 'input' property are validated to be within the workspace root.

- In '@angular/build', introduce a shared 'isSubDirectory' utility and apply it to 'normalizeAssetPatterns'.
- In '@angular-devkit/build-angular', apply similar validation during 'normalizeAssetPatterns'.
- Add integration tests to prevent regressions from absolute and relative path traversal attempts.
diff --git a/packages/angular/build/src/builders/application/tests/options/assets_spec.ts b/packages/angular/build/src/builders/application/tests/options/assets_spec.ts
@@ -367,7 +367,29 @@ describeBuilder(buildApplication, APPLICATION_BUILDER_INFO, (harness) => {
 
         const { error } = await harness.executeOnce({ outputLogsOnException: false });
 
-        expect(error?.message).toMatch('asset path must be within the workspace root');
+        expect(error?.message).toContain('asset path must be within the workspace root');
+      });
+
+      it('fails if asset input option is outside workspace root (relative)', async () => {
+        harness.useTarget('build', {
+          ...BASE_OPTIONS,
+          assets: [{ glob: '**/*', input: '../outside', output: '.' }],
+        });
+
+        const { error } = await harness.executeOnce({ outputLogsOnException: false });
+
+        expect(error?.message).toContain('asset path must be within the workspace root');
+      });
+
+      it('fails if asset input option is outside workspace root (absolute)', async () => {
+        harness.useTarget('build', {
+          ...BASE_OPTIONS,
+          assets: [{ glob: '**/*', input: '/tmp/outside-workspace', output: '.' }],
+        });
+
+        const { error } = await harness.executeOnce({ outputLogsOnException: false });
+
+        expect(error?.message).toContain('asset path must be within the workspace root');
       });
 
       it('fails if output option is not within project output path', async () => {
diff --git a/packages/angular/build/src/utils/normalize-asset-patterns.ts b/packages/angular/build/src/utils/normalize-asset-patterns.ts
@@ -10,6 +10,7 @@ import assert from 'node:assert';
 import { statSync } from 'node:fs';
 import * as path from 'node:path';
 import { AssetPattern, AssetPatternClass } from '../builders/application/schema';
+import { isSubDirectory } from './path';
 
 export function normalizeAssetPatterns(
   assetPatterns: AssetPattern[],
@@ -70,6 +71,10 @@ export function normalizeAssetPatterns(
 
       assetPattern = { glob, input, output };
     } else {
+      if (!isSubDirectory(workspaceRoot, assetPattern.input)) {
+        throw new Error(`The ${assetPattern.input} asset path must be within the workspace root.`);
+      }
+
       assetPattern.output = path.join('.', assetPattern.output ?? '');
     }
 
diff --git a/packages/angular/build/src/utils/path.ts b/packages/angular/build/src/utils/path.ts
@@ -6,7 +6,7 @@
  * found in the LICENSE file at https://angular.dev/license
  */
 
-import { posix } from 'node:path';
+import { normalize, posix, resolve } from 'node:path';
 import { platform } from 'node:process';
 
 const WINDOWS_PATH_SEPERATOR_REGEXP = /\\/g;
@@ -35,3 +35,17 @@ const WINDOWS_PATH_SEPERATOR_REGEXP = /\\/g;
 export function toPosixPath(path: string): string {
   return platform === 'win32' ? path.replace(WINDOWS_PATH_SEPERATOR_REGEXP, posix.sep) : path;
 }
+
+/**
+ * Determines if a path is a subdirectory or file within a parent directory.
+ *
+ * @param parent - The parent directory path.
+ * @param child - The child path to check.
+ * @returns `true` if the child path is within the parent directory, `false` otherwise.
+ */
+export function isSubDirectory(parent: string, child: string): boolean {
+  const normalizedParent = normalize(parent);
+  const resolvedChild = resolve(parent, child);
+
+  return resolvedChild.startsWith(normalizedParent);
+}
diff --git a/packages/angular_devkit/build_angular/src/builders/browser/tests/options/assets_spec.ts b/packages/angular_devkit/build_angular/src/builders/browser/tests/options/assets_spec.ts
@@ -359,6 +359,28 @@ describeBuilder(buildWebpackBrowser, BROWSER_BUILDER_INFO, (harness) => {
         harness.expectFile('dist/subdirectory/test.svg').content.toBe('<svg></svg>');
       });
 
+      it('fails if asset input option is outside workspace root (relative)', async () => {
+        harness.useTarget('build', {
+          ...BASE_OPTIONS,
+          assets: [{ glob: '**/*', input: '../outside', output: '.' }],
+        });
+
+        const { result } = await harness.executeOnce();
+
+        expect(result?.error).toMatch('asset path must be within the workspace root');
+      });
+
+      it('fails if asset input option is outside workspace root (absolute)', async () => {
+        harness.useTarget('build', {
+          ...BASE_OPTIONS,
+          assets: [{ glob: '**/*', input: '/tmp/outside-workspace', output: '.' }],
+        });
+
+        const { result } = await harness.executeOnce();
+
+        expect(result?.error).toMatch('asset path must be within the workspace root');
+      });
+
       it('fails if output option is not within project output path', async () => {
         await harness.writeFile('test.svg', '<svg></svg>');
 
diff --git a/packages/angular_devkit/build_angular/src/utils/normalize-asset-patterns.ts b/packages/angular_devkit/build_angular/src/utils/normalize-asset-patterns.ts
@@ -68,6 +68,11 @@ export function normalizeAssetPatterns(
 
       assetPattern = { glob, input, output };
     } else {
+      const resolvedInput = path.resolve(workspaceRoot, assetPattern.input);
+      if (!resolvedInput.startsWith(workspaceRoot)) {
+        throw new Error(`The ${assetPattern.input} asset path must be within the workspace root.`);
+      }
+
       assetPattern.output = path.join('.', assetPattern.output ?? '');
     }
 
