Skip to content

fix(bazel/http-server): prevent directory traversal bypass in Http Server#3763

Merged
josephperrott merged 3 commits into
angular:mainfrom
josephperrott:fix/sec-http-server-traversal-7ed5a82a
Jun 8, 2026
Merged

fix(bazel/http-server): prevent directory traversal bypass in Http Server#3763
josephperrott merged 3 commits into
angular:mainfrom
josephperrott:fix/sec-http-server-traversal-7ed5a82a

Conversation

@josephperrott

@josephperrott josephperrott commented Jun 6, 2026

Copy link
Copy Markdown
Member

This PR resolves a directory traversal weakness in the HttpServer by appending path separators to root and joined paths before comparison. Vulnerability: 7ed5a82a

@josephperrott josephperrott added the action: merge The PR is ready for merge by the caretaker label Jun 6, 2026
@josephperrott josephperrott requested a review from alan-agius4 June 6, 2026 02:42
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 6, 2026
View reviewed changes

@gemini-code-assist gemini-code-assist Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces credential sanitization for child process logs and outputs to prevent token leakage, adds comprehensive tests for this sanitization, and updates the HTTP server's directory traversal check by appending path separators. Feedback on these changes highlights three key issues: first, blindly appending path.sep can cause false-positive directory traversal errors when resolving system root paths; second, converting raw buffer chunks directly to strings without setting 'utf8' encoding can corrupt multi-byte characters; and third, the sanitization regex should use * instead of + for the password group to correctly redact URLs with empty passwords.

Comment thread bazel/http-server/server.mts Outdated
Comment thread ng-dev/utils/child-process.ts Outdated
Comment thread ng-dev/utils/child-process.ts Outdated
@josephperrott josephperrott force-pushed the fix/sec-http-server-traversal-7ed5a82a branch from 08daa58 to 057a2b6 Compare June 6, 2026 14:08
@josephperrott josephperrott merged commit a037b2d into angular:main Jun 8, 2026
16 checks passed
@josephperrott

josephperrott commented Jun 8, 2026

Copy link
Copy Markdown
Member Author

This PR was merged into the repository. The changes were merged into the following branches:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alan-agius4 alan-agius4 alan-agius4 approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@josephperrott @alan-agius4