mirror of
https://github.com/jquery/jquery-ui.git
synced 2024-11-21 11:04:24 +00:00
Build: Fix an XSS in the test server HTML serving logic
The test server has a rule for `/tests/unit/*/*.html` paths that serves a proper local file. However, the parameters after `/unit/` so far accepted many characters that have special meaning, leading to possibly reading a file from outside of the Git repository. Fix that by only accepting alphanumeric characters, `-` or `_`. This should resolve one CodeQL alert. Closes gh-2309
This commit is contained in:
parent
af8adca548
commit
85bed8ddd8
@ -22,7 +22,7 @@ export async function createTestServer( report ) {
|
|||||||
} );
|
} );
|
||||||
|
|
||||||
// Add a script tag to HTML pages to load the QUnit listeners
|
// Add a script tag to HTML pages to load the QUnit listeners
|
||||||
app.use( /\/tests\/unit\/([^/]+)\/\1\.html$/, async( req, res ) => {
|
app.use( /\/tests\/unit\/([a-zA-Z0-9_-]+)\/\1\.html$/, async( req, res ) => {
|
||||||
const html = await readFile(
|
const html = await readFile(
|
||||||
`tests/unit/${ req.params[ 0 ] }/${ req.params[ 0 ] }.html`,
|
`tests/unit/${ req.params[ 0 ] }/${ req.params[ 0 ] }.html`,
|
||||||
"utf8"
|
"utf8"
|
||||||
|
Loading…
Reference in New Issue
Block a user