@bractjs/bractjs 0.1.0 → 0.1.6

package/src/server/static.ts

@@ -1,26 +1,42 @@
-import { join, resolve } from "node:path";
+import { join, resolve, sep } from "node:path";
+import { realpath } from "node:fs/promises";
 
 const IMMUTABLE = "public, max-age=31536000, immutable";
 const NO_CACHE = "no-cache";
 
+// Resolve to a canonical path that follows symlinks. Returns null if the
+// target doesn't exist OR escapes the given root after symlink expansion.
+async function safeRealpath(root: string, requested: string): Promise<string | null> {
+  const candidate = resolve(join(root, requested));
+  // Cheap structural reject before touching the FS.
+  if (!candidate.startsWith(root + sep) && candidate !== root) return null;
+  let real: string;
+  try {
+    real = await realpath(candidate);
+  } catch {
+    return null;
+  }
+  if (!real.startsWith(root + sep) && real !== root) return null;
+  return real;
+}
+
 /**
  * Serve hashed client assets or public/ files.
  * Returns null if the path doesn't match or the file isn't found.
- * Guards against path traversal by resolving and prefix-checking.
+ * Guards against path traversal AND symlink escape.
  */
 export async function serveStatic(
   pathname: string,
   buildDir: string,
   publicDir: string,
 ): Promise<Response | null> {
-  // Security: reject traversal sequences before any path resolution
   if (pathname.includes("..")) return null;
 
   if (pathname.startsWith("/build/client/")) {
     const rel = pathname.slice("/build/client/".length);
     const root = resolve(join(buildDir, "client"));
-    const full = resolve(join(root, rel));
-    if (!full.startsWith(root + "/") && full !== root) return null;
+    const full = await safeRealpath(root, rel);
+    if (!full) return null;
     const file = Bun.file(full);
     if (!(await file.exists())) return null;
     return new Response(file, { headers: { "Cache-Control": IMMUTABLE } });
@@ -29,8 +45,8 @@ export async function serveStatic(
   if (pathname.startsWith("/public/")) {
     const rel = pathname.slice("/public/".length);
     const root = resolve(publicDir);
-    const full = resolve(join(root, rel));
-    if (!full.startsWith(root + "/") && full !== root) return null;
+    const full = await safeRealpath(root, rel);
+    if (!full) return null;
     const file = Bun.file(full);
     if (!(await file.exists())) return null;
     return new Response(file, { headers: { "Cache-Control": NO_CACHE } });

package/templates/new-app/app/root.tsx

@@ -1,6 +1,6 @@
 // This is the root layout for your BractJS app.
 // Every route renders inside this component.
-import { Scripts, LiveReload, Outlet } from "bractjs";
+import { Scripts, LiveReload, Outlet } from "@bractjs/bractjs";
 
 export default function Root() {
   return (

package/templates/new-app/app/routes/_index.tsx

@@ -1,6 +1,6 @@
-import { useLoaderData } from "bractjs";
-import type { LoaderArgs } from "bractjs";
-import { Link } from "bractjs";
+import { useLoaderData } from "@bractjs/bractjs";
+import type { LoaderArgs } from "@bractjs/bractjs";
+import { Link } from "@bractjs/bractjs";
 
 interface HomeData {
   message: string;

package/templates/new-app/app/routes/about.tsx

@@ -1,4 +1,4 @@
-import { Link } from "bractjs";
+import { Link } from "@bractjs/bractjs";
 
 export function meta() {
   return [{ title: "About | {{APP_NAME}}" }];

package/templates/new-app/bractjs.config.ts

@@ -1,4 +1,4 @@
-import type { BractJSConfig } from "bractjs";
+import type { BractJSConfig } from "@bractjs/bractjs";
 
 const config: BractJSConfig = {
   port: 3000,

package/templates/new-app/package.json

@@ -8,7 +8,7 @@
     "start": "bractjs start"
   },
   "dependencies": {
-    "bractjs": "file:{{BRACT_PATH}}",
+    "@bractjs/bractjs": "latest",
     "react": "^19",
     "react-dom": "^19"
   },