Skip to content

Fix regex injection in asset folder path matching#788

Merged
kyoshino merged 1 commit into
sveltia:mainfrom
m1n9yu3:security/escape-asset-folder-regex
Jun 7, 2026
Merged

Fix regex injection in asset folder path matching#788
kyoshino merged 1 commit into
sveltia:mainfrom
m1n9yu3:security/escape-asset-folder-regex

Conversation

@m1n9yu3

@m1n9yu3 m1n9yu3 commented Jun 7, 2026

Copy link
Copy Markdown
Contributor

Summary

This change escapes configured asset folder paths before compiling them into regular expressions. Template placeholders such as {{slug}} still work as intended, but ordinary path characters like (, +, [, ], and . are now treated literally.

The patch also replaces \b with a path segment boundary lookahead, because \b does not correctly represent folder boundaries when a path segment ends with a non-word character.

Security note

Repository-controlled asset folder configuration should not be interpreted as arbitrary regular expression syntax during asset path lookup.

Verification

npx vitest run src/lib/services/assets/folders.test.js src/lib/services/config/folders/assets.test.js
2 test files passed, 131 tests passed.

npx eslint src/lib/services/assets/folders.js src/lib/services/assets/folders.test.js
passed

@m1n9yu3 m1n9yu3 requested a review from kyoshino as a code owner June 7, 2026 06:23
kyoshino
kyoshino approved these changes Jun 7, 2026
View reviewed changes

@kyoshino kyoshino left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM. Thanks!

@kyoshino kyoshino merged commit 792d125 into sveltia:main Jun 7, 2026
kyoshino added a commit that referenced this pull request Jun 7, 2026
@kyoshino
Escape publicPath when matching assets
f9f7e44 
Follow up #788
n-000000 pushed a commit to n-000000/sveltia-cms that referenced this pull request Jun 9, 2026
@m1n9yu3
Fix regex injection in asset folder path matching (sveltia#788)
459bd1a
n-000000 pushed a commit to n-000000/sveltia-cms that referenced this pull request Jun 9, 2026
@kyoshino
Escape publicPath when matching assets
cf7986a 
Follow up sveltia#788
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kyoshino kyoshino kyoshino approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@m1n9yu3 @kyoshino