Skip to content

fix(@angular/build): assert that asset input paths are within workspace root#33223

Open
alan-agius4 wants to merge 1 commit into
angular:20.3.xfrom
alan-agius4:asset-validation-20
Open

fix(@angular/build): assert that asset input paths are within workspace root#33223
alan-agius4 wants to merge 1 commit into
angular:20.3.xfrom
alan-agius4:asset-validation-20

Conversation

@alan-agius4
Copy link
Copy Markdown
Collaborator

@alan-agius4 alan-agius4 commented May 20, 2026

Ensure that asset patterns defined as objects with an 'input' property are validated to be within the workspace root.

  • In '@angular/build', introduce a shared 'isSubDirectory' utility and apply it to both 'normalizeAssetPatterns' and 'resolveAssets'.
  • In '@angular-devkit/build-angular', apply similar validation during 'normalizeAssetPatterns'.
  • Add integration tests to prevent regressions from absolute and relative path traversal attempts.

@alan-agius4 alan-agius4 requested review from clydin and dgp1130 May 20, 2026 09:32
@alan-agius4 alan-agius4 added action: review The PR is still awaiting reviews from at least one requested reviewer target: lts This PR is targeting a version currently in long-term support labels May 20, 2026
gemini-code-assist[bot]
gemini-code-assist Bot reviewed May 20, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces validation to ensure that asset paths are contained within the workspace root across different Angular builders. It adds a new isSubDirectory utility and implements checks in both the application and browser builders, along with corresponding unit tests. Feedback from the reviewer highlights a potential mismatch in error messages within the new test cases for string-based asset patterns. Additionally, improvements were suggested for the path validation logic to correctly handle edge cases where directory names might start with double dots and to ensure platform-specific path separators are used.

Comment thread packages/angular/build/src/builders/application/tests/options/assets_spec.ts Outdated
Comment thread packages/angular/build/src/utils/path.ts Outdated
Comment thread packages/angular/build/src/utils/path.ts Outdated
Comment thread packages/angular_devkit/build_angular/src/utils/normalize-asset-patterns.ts Outdated
@alan-agius4 alan-agius4 force-pushed the asset-validation-20 branch 4 times, most recently from f2ed9b0 to 3fbfd01 Compare May 20, 2026 11:34
@alan-agius4
fix(@angular/build): assert that asset input paths are within workspa…
f82ec6e 
…ce root

Ensure that asset patterns defined as objects with an 'input' property are validated to be within the workspace root.

- In '@angular/build', introduce a shared 'isSubDirectory' utility and apply it to 'normalizeAssetPatterns'.
- In '@angular-devkit/build-angular', apply similar validation during 'normalizeAssetPatterns'.
- Add integration tests to prevent regressions from absolute and relative path traversal attempts.
@alan-agius4 alan-agius4 force-pushed the asset-validation-20 branch from 3fbfd01 to f82ec6e Compare May 20, 2026 12:05
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@dgp1130 dgp1130 Awaiting requested review from dgp1130

@clydin clydin Awaiting requested review from clydin

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

action: review The PR is still awaiting reviews from at least one requested reviewer area: @angular/build target: lts This PR is targeting a version currently in long-term support

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@alan-agius4