Skip to content

Validate bundle stays within output dir#6277

Merged
lukastaegert merged 1 commit intobackports-rollup-2from
backport-prevent-path-traversal-rollup-2
Feb 22, 2026
Merged

Validate bundle stays within output dir#6277
lukastaegert merged 1 commit intobackports-rollup-2from
backport-prevent-path-traversal-rollup-2

Conversation

@lukastaegert
Copy link
Member

@lukastaegert lukastaegert commented Feb 21, 2026

This PR contains:

  • bugfix
  • feature
  • refactor
  • documentation
  • other

Are tests included?

  • yes (bugfixes and features will not be merged without tests)
  • no

Breaking Changes?

  • yes (breaking changes will not be merged unless absolutely necessary)
  • no

List any relevant issue numbers:

Description

This is the backport of #6275 for Rollup 2

Copilot AI review requested due to automatic review settings February 21, 2026 12:09
@vercel
Copy link

vercel bot commented Feb 21, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
rollup Error Error Feb 21, 2026 7:05pm

Request Review

Copilot AI reviewed Feb 21, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR is a backport of #6275 to Rollup 2, adding validation to prevent path traversal attacks in output file names. The change ensures that bundle file names cannot escape the designated output directory using ".." path segments or other directory traversal techniques, which has security implications for build systems.

Changes:

  • Added validation function to check all output bundle file names stay within the output directory
  • Implemented browser-compatible join function and refactored resolve function to use shared path normalization logic
  • Added comprehensive test coverage for both valid and invalid file name scenarios

Reviewed changes

Copilot reviewed 21 out of 21 changed files in this pull request and generated no comments.

Show a summary per file
File Description
src/Bundle.ts Adds validateOutputBundleFileNames function that validates all bundle file names after generation and imports join from path utilities
src/utils/error.ts Adds new error code FILE_NAME_OUTSIDE_OUTPUT_DIRECTORY and error generator function
src/utils/path.ts Exports join function from Node's path module
browser/path.ts Implements browser-compatible join function and refactors resolve to use shared normalizePathSegments helper
test/function/samples/file-name-subdirectory-is-valid/* Tests that subdirectories within output directory are allowed
test/function/samples/file-name-mid-path-up-then-down-is-valid/* Tests that ".." segments that normalize within output directory are allowed
test/function/samples/file-name-leading-dot-slash-is-valid/* Tests that leading "./" prefixes are allowed
test/function/samples/error-file-name-path-traversal/* Tests that path traversal via entryFileNames is rejected
test/function/samples/error-file-name-path-traversal-plugin/* Tests that path traversal via plugin-added files is rejected
test/function/samples/error-file-name-dot/* Tests that "." as a file name is rejected
test/function/samples/error-file-name-dot-dot/* Tests that ".." as a file name is rejected
test/function/samples/error-file-name-deep-traversal/* Tests that deep path traversal attempts are rejected
test/browser/samples/error-file-name-path-traversal/* Browser test for path traversal rejection

@lukastaegert lukastaegert force-pushed the backport-prevent-path-traversal-rollup-2 branch from 289d2e0 to 26dcf75 Compare February 21, 2026 13:11
@lukastaegert lukastaegert requested a review from Copilot February 21, 2026 13:13
Copilot AI reviewed Feb 21, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 23 out of 23 changed files in this pull request and generated no new comments.

@lukastaegert lukastaegert force-pushed the backport-prevent-path-traversal-rollup-2 branch from 26dcf75 to 0d7a828 Compare February 21, 2026 14:27
@lukastaegert lukastaegert force-pushed the backport-prevent-path-traversal-rollup-2 branch from 0d7a828 to d6df495 Compare February 21, 2026 14:30
@lukastaegert lukastaegert requested a review from Copilot February 21, 2026 14:30
Copilot AI reviewed Feb 21, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 24 out of 24 changed files in this pull request and generated 3 comments.

@lukastaegert lukastaegert force-pushed the backport-prevent-path-traversal-rollup-2 branch from d6df495 to a09fb31 Compare February 21, 2026 16:04
@lukastaegert lukastaegert requested a review from Copilot February 21, 2026 16:07
Copilot AI reviewed Feb 21, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 29 out of 29 changed files in this pull request and generated 3 comments.

@lukastaegert
Validate bundle stays within output dir
15bcf48 
When a file would leave the output dir, an error is thrown.

# Conflicts:
#	src/Bundle.ts
#	src/utils/logs.ts
#	src/utils/path.ts
@lukastaegert lukastaegert force-pushed the backport-prevent-path-traversal-rollup-2 branch from a09fb31 to 15bcf48 Compare February 21, 2026 19:04
@lukastaegert lukastaegert requested a review from Copilot February 21, 2026 19:05
Copilot AI reviewed Feb 21, 2026
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 33 out of 33 changed files in this pull request and generated no new comments.

@lukastaegert lukastaegert merged commit 146eb9a into backports-rollup-2 Feb 22, 2026
7 of 20 checks passed
@lukastaegert lukastaegert deleted the backport-prevent-path-traversal-rollup-2 branch February 22, 2026 05:59
lukastaegert added a commit that referenced this pull request Feb 22, 2026
@lukastaegert
Validate bundle stays within output dir (#6277)
d6dee5e 
When a file would leave the output dir, an error is thrown.

# Conflicts:
#	src/Bundle.ts
#	src/utils/logs.ts
#	src/utils/path.ts
@github-actions github-actions bot mentioned this pull request Feb 28, 2026
Merged
@greptile-apps greptile-apps bot mentioned this pull request Feb 28, 2026
Open
@github-actions github-actions bot mentioned this pull request Mar 2, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@lukastaegert