From 85bed8ddd893390fd41bd7e93d2a44a1b5d9b885 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20Go=C5=82=C4=99biowski-Owczarek?= Date: Mon, 28 Oct 2024 16:47:29 +0100 Subject: [PATCH] Build: Fix an XSS in the test server HTML serving logic The test server has a rule for `/tests/unit/*/*.html` paths that serves a proper local file. However, the parameters after `/unit/` so far accepted many characters that have special meaning, leading to possibly reading a file from outside of the Git repository. Fix that by only accepting alphanumeric characters, `-` or `_`. This should resolve one CodeQL alert. Closes gh-2309 --- tests/runner/createTestServer.js | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/runner/createTestServer.js b/tests/runner/createTestServer.js index 67770c71d..875e6d3b1 100644 --- a/tests/runner/createTestServer.js +++ b/tests/runner/createTestServer.js @@ -22,7 +22,7 @@ export async function createTestServer( report ) { } ); // Add a script tag to HTML pages to load the QUnit listeners - app.use( /\/tests\/unit\/([^/]+)\/\1\.html$/, async( req, res ) => { + app.use( /\/tests\/unit\/([a-zA-Z0-9_-]+)\/\1\.html$/, async( req, res ) => { const html = await readFile( `tests/unit/${ req.params[ 0 ] }/${ req.params[ 0 ] }.html`, "utf8"