diff options
| author |  Jarred Sumner <jarred@jarredsumner.com>
| 2021-09-22 16:19:16 -0700 |
|---|---|---|
| committer | Jarred Sumner <jarred@jarredsumner.com>
| 2021-09-22 16:19:16 -0700 |
| commit | e00c1e99d67ff6224dcfb783c84ced9896537cb0 (patch) | |
| tree | 1a21c91ea69ec5a49c21ec82b5854d5bde4e7f14 /src/options.zig | |
| parent | 39323b46ba9516c6c15df05eae3fe8afa5800958 (diff) | |
| download | bun-e00c1e99d67ff6224dcfb783c84ced9896537cb0.tar.gz bun-e00c1e99d67ff6224dcfb783c84ced9896537cb0.tar.zst bun-e00c1e99d67ff6224dcfb783c84ced9896537cb0.zip | |
Allow URLs containing absolute filepaths in imports if they match specific file extensions
This is to support ../../ imports
Allowlisting to specific file extensions prevents common webserver security vulnerabilities like reading /etc/passwd
Diffstat (limited to 'src/options.zig')
| -rw-r--r-- | src/options.zig | 9 |
1 files changed, 8 insertions, 1 deletions
diff --git a/src/options.zig b/src/options.zig index 937e6a5aa..83901403c 100644 --- a/src/options.zig +++ b/src/options.zig @@ -1104,7 +1104,14 @@ pub const BundleOptions = struct { opts.node_modules_bundle = node_module_bundle; if (opts.origin.isAbsolute()) { - opts.node_modules_bundle_url = try opts.origin.joinAlloc(allocator, "", "", node_module_bundle.bundle.import_from_name, ""); + opts.node_modules_bundle_url = try opts.origin.joinAlloc( + allocator, + "", + "", + node_module_bundle.bundle.import_from_name, + "", + "", + ); opts.node_modules_bundle_pretty_path = opts.node_modules_bundle_url[opts.node_modules_bundle_url.len - node_module_bundle.bundle.import_from_name.len - 1 ..]; } else { opts.node_modules_bundle_pretty_path = try allocator.dupe(u8, pretty_path); |