Prevent path traversal in module resolution (#1353)

ije · web-flow · commit 962ee4f0ba1d · 2026-05-06T13:15:54.000+08:00
diff --git a/server/build.go b/server/build.go
@@ -728,6 +728,10 @@ func (ctx *BuildContext) buildModule(analyzeMode bool) (meta *BuildMeta, include
 							}
 
 							filename = path.Join(ctx.wd, "node_modules", ctx.esmPath.PkgName, modulePath)
+							// check if the filename is within the working directory
+							if !strings.HasPrefix(filename, ctx.wd+string(os.PathSeparator)) {
+								return esbuild.OnResolveResult{}, fmt.Errorf("could not resolve module %s", specifier)
+							}
 
 							// split the module that includes `export * from "external"` statement
 							if entry.module && len(pkgJson.Dependencies)+len(pkgJson.PeerDependencies) > 0 && args.Kind == esbuild.ResolveJSImportStatement {

Original file line number	Diff line number	Diff line change
`@@ -728,6 +728,10 @@ func (ctx BuildContext) buildModule(analyzeMode bool) (meta BuildMeta, include`
`728`	`728`	`}`
`729`	`729`
`730`	`730`	`filename = path.Join(ctx.wd, "node_modules", ctx.esmPath.PkgName, modulePath)`
	`731`	`+ // check if the filename is within the working directory`
	`732`	`+ if !strings.HasPrefix(filename, ctx.wd+string(os.PathSeparator)) {`
	`733`	`+ return esbuild.OnResolveResult{}, fmt.Errorf("could not resolve module %s", specifier)`
	`734`	`+ }`
`731`	`735`
`732`	`736`	// split the module that includes `export * from "external"` statement
`733`	`737`	`if entry.module && len(pkgJson.Dependencies)+len(pkgJson.PeerDependencies) > 0 && args.Kind == esbuild.ResolveJSImportStatement {`