Skip to content

fix(@angular/build): prevent deleting parent directories of project root #32873

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
pradhankukiran wants to merge 5 commits into
base: main
Choose a base branch
from
Open

fix(@angular/build): prevent deleting parent directories of project root #32873

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
5 commits
Select commit Hold shift + click to select a range
4886930
fix(@angular/build): prevent deleting parent directories of project root
pradhankukiran Mar 27, 2026
6c745cc
fixup! fix(@angular/build): prevent deleting parent directories of pr…
pradhankukiran Mar 27, 2026
a2b1fab
fixup! fix(@angular/build): prevent deleting parent directories of pr…
alan-agius4 Mar 27, 2026
9d3f5d4
fix(@angular/build): handle Windows absolute paths in output dir check
pradhankukiran Mar 27, 2026
3a6d97a
fixup! fix(@angular/build): prevent deleting parent directories of pr…
pradhankukiran Mar 27, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
fixup! fix(@angular/build): prevent deleting parent directories of pr… 
…oject root
  • Loading branch information
@alan-agius4
alan-agius4 committed Mar 27, 2026
commit a2b1fabab26449111761b0cbfe684b27d749178a
2 changes: 1 addition & 1 deletion packages/angular/build/src/utils/delete-output-dir.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,7 @@ export async function deleteOutputDir(
const relativePath = relative(resolvedOutputPath, root);
Copy link
Copy Markdown
Collaborator

@alan-agius4 alan-agius4 Mar 27, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

NIT: I think this can be slightly simplified, made easier to follow and also make the errors more actionable.

const resolvedOutputPath = resolve(root, outputPath);
if (resolvedOutputPath === root) {
  throw new Error("Output path MUST not be workspace root directory.");
}

if (!isAbsolute(outputPath) && !resolvedOutputPath.startsWith(root)) {
  throw new Error(
    `Output path "${resolvedOutputPath}" must NOT be a parent of the workspace root directory via relative paths.`
  );
}

Copy link
Copy Markdown
Author

@pradhankukiran pradhankukiran Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the suggestion! I think there might be a couple of edge cases with this approach:

  1. Absolute ancestors are not caught — deleteOutputDir('/home/user/project', '/home') skips the second check because isAbsolute('/home') is true, so the ancestor /home is silently allowed.
  2. Relative sibling paths are incorrectly blocked — deleteOutputDir('/home/user/project', '../sibling/dist') resolves to /home/user/sibling/dist, which doesn't start with root, so it throws even though it's not an ancestor.

The relative() approach handles both of these because it directly answers "is root inside the output path?" regardless of how the path was specified.

Copy link
Copy Markdown
Collaborator

@alan-agius4 alan-agius4 Mar 27, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The second one should be blocked as it’s outside of the workspace IMHO, and the first one should be allowed as it’s absolute.

if (!relativePath || !relativePath.startsWith('..')) {
throw new Error(
`Output path "${resolvedOutputPath}" MUST not be the project root directory or a parent of it.`,
`Output path "${resolvedOutputPath}" MUST not be the project root directory or its parent.`,
);
}

Expand Down
6 changes: 3 additions & 3 deletions packages/angular/build/src/utils/delete-output-dir_spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,19 +20,19 @@ describe('deleteOutputDir', () => {

it('should throw when output path is the project root', async () => {
await expectAsync(deleteOutputDir(root, '.')).toBeRejectedWithError(
/MUST not be the project root directory or a parent of it/,
/MUST not be the project root directory or its parent/,
);
});

it('should throw when output path is a parent of the project root', async () => {
await expectAsync(deleteOutputDir(root, '..')).toBeRejectedWithError(
/MUST not be the project root directory or a parent of it/,
/MUST not be the project root directory or its parent/,
);
});

it('should throw when output path is a grandparent of the project root', async () => {
await expectAsync(deleteOutputDir(root, '../..')).toBeRejectedWithError(
/MUST not be the project root directory or a parent of it/,
/MUST not be the project root directory or its parent/,
);
});

Expand Down
Loading