fix(security): do not allow to read files above#1779

alexander-akait · 2024-03-20T15:15:27Z

This PR contains a:

Motivation / Use-Case

security fix

Breaking Changes

No

Additional Info

No

megagreg72 · 2024-03-25T15:41:40Z

+      // ".." is malicious
+      if (UP_PATH_REGEXP.test(path.normalize(`./${pathname}`))) {
+        // eslint-disable-next-line no-param-reassign
+        extra.errorCode = 403;


This is the key change, right?

jkeys089 · 2024-03-25T20:37:33Z

@alexander-akait is there any plan to backport this fix to v4? We have a project still on Nuxt 2 / Webpack 4.

alexander-akait · 2024-03-26T09:19:32Z

@jkeys089 Webpack 4 is deprecated, so if you want to do it, feel free to send a PR and I will make a release

fix(security): do not allow to read files above

604633d

alexander-akait requested review from hiroppy and snitin315 as code owners March 20, 2024 15:15

alexander-akait merged commit 189c4ac into version-5 Mar 20, 2024

alexander-akait deleted the fix-security branch March 20, 2024 15:15

Omrisnyk mentioned this pull request Mar 22, 2024

[Snyk] Fix for 1 vulnerabilities Omrisnyk/npm-lockfiles#149

Open

justinclift mentioned this pull request Mar 24, 2024

Bump webpack-dev-middleware from 5.3.3 to 5.3.4 getredash/redash#6829

Merged

megagreg72 reviewed Mar 25, 2024

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

fix(security): do not allow to read files above#1779