@commercetools-frontend/application-config 27.5.1 → 27.5.2

package/dist/commercetools-frontend-application-config.cjs.dev.js

@@ -267,41 +267,59 @@ const substituteFilePathVariablePlaceholder = (valueOfPlaceholder, matchedString
   const _valueOfPlaceholder$s5 = valueOfPlaceholder.split(':'),
     _valueOfPlaceholder$s6 = _slicedToArray(_valueOfPlaceholder$s5, 2),
     filePathOrModule = _valueOfPlaceholder$s6[1];
+
+  // Security check: Prevent path traversal attacks.
+  // Two strategies depending on whether the specifier is a bare module name
+  // (e.g. "@scope/pkg/file.svg") or a relative/absolute path (e.g. "./app.svg").
+  const isModuleName = !_startsWithInstanceProperty__default["default"](filePathOrModule).call(filePathOrModule, '.') && !_startsWithInstanceProperty__default["default"](filePathOrModule).call(filePathOrModule, '/');
+  if (isModuleName) {
+    // Bare module specifiers are resolved by require.resolve through
+    // node_modules, linked packages, or Yarn PnP — all legitimate locations
+    // that may be outside the workspace root (e.g. hoisted deps in CI).
+    // We skip the workspace root check for these, but we must block ".."
+    // segments in the specifier itself — those are the only way to make
+    // require.resolve escape module directories and reach arbitrary files
+    // (e.g. "some-pkg/../../../../etc/passwd" resolves through node_modules
+    // to /etc/passwd).
+    const normalizedSpecifier = path__default$1["default"].posix.normalize(filePathOrModule);
+    if (_startsWithInstanceProperty__default["default"](normalizedSpecifier).call(normalizedSpecifier, '..')) {
+      throw new Error(`Path traversal in module specifiers is not allowed: ${filePathOrModule}`);
+    }
+  }
   const resolvedPath = require.resolve(filePathOrModule, {
     paths: [loadingOptions.applicationPath]
   });
-
-  // Security check: Prevent path traversal attacks.
-  // require.resolve() already provides protection by only resolving modules
-  // accessible from the applicationPath. However, we add an extra layer to
-  // prevent access to sensitive system files outside the workspace.
   const normalizedPath = path__default$1["default"].normalize(resolvedPath);
-  const applicationPath = path__default$1["default"].normalize(loadingOptions.applicationPath);
+  if (!isModuleName) {
+    // For relative/absolute paths, verify the resolved path is within the
+    // workspace root. require.resolve() already provides some protection by
+    // only resolving from applicationPath, but we add an extra layer to
+    // prevent access to sensitive system files outside the workspace.
+    const applicationPath = path__default$1["default"].normalize(loadingOptions.applicationPath);
 
-  // Find workspace root by traversing up from applicationPath until we find
-  // package.json, pnpm-workspace.yaml, or reach root
-  let workspaceRoot = applicationPath;
-  let currentPath = applicationPath;
-  const rootPath = path__default$1["default"].parse(currentPath).root;
-  while (currentPath !== rootPath) {
-    const hasPackageJson = fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'package.json'));
-    const hasWorkspaceConfig = fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'pnpm-workspace.yaml')) || fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'lerna.json'));
-    if (hasPackageJson) {
-      workspaceRoot = currentPath;
-      if (hasWorkspaceConfig) {
-        // Found workspace root
-        break;
+    // Find workspace root by traversing up from applicationPath until we find
+    // package.json, pnpm-workspace.yaml, or reach root
+    let workspaceRoot = applicationPath;
+    let currentPath = applicationPath;
+    const rootPath = path__default$1["default"].parse(currentPath).root;
+    while (currentPath !== rootPath) {
+      const hasPackageJson = fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'package.json'));
+      const hasWorkspaceConfig = fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'pnpm-workspace.yaml')) || fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'lerna.json'));
+      if (hasPackageJson) {
+        workspaceRoot = currentPath;
+        if (hasWorkspaceConfig) {
+          // Found workspace root
+          break;
+        }
       }
+      currentPath = path__default$1["default"].dirname(currentPath);
+    }
+    const relativePath = path__default$1["default"].relative(workspaceRoot, normalizedPath);
+    // Use path.relative() to avoid string prefix vulnerabilities (e.g., "/app" vs "/app-evil")
+    const isSafePath = !_startsWithInstanceProperty__default["default"](relativePath).call(relativePath, '..') && !path__default$1["default"].isAbsolute(relativePath);
+    if (!isSafePath) {
+      throw new Error(`Access to files outside workspace directory is not allowed: ${filePathOrModule}`);
     }
-    currentPath = path__default$1["default"].dirname(currentPath);
-  }
-  const relativePath = path__default$1["default"].relative(workspaceRoot, normalizedPath);
-
-  // Path is safe if it's within the workspace root.
-  // Use path.relative() to avoid string prefix vulnerabilities (e.g., "/app" vs "/app-evil")
-  const isSafePath = !_startsWithInstanceProperty__default["default"](relativePath).call(relativePath, '..') && !path__default$1["default"].isAbsolute(relativePath);
-  if (!isSafePath) {
-    throw new Error(`Access to files outside workspace directory is not allowed: ${filePathOrModule}`);
   }
   const content = fs__default$1["default"].readFileSync(normalizedPath, {
     encoding: 'utf-8'

package/dist/commercetools-frontend-application-config.cjs.prod.js

@@ -267,41 +267,59 @@ const substituteFilePathVariablePlaceholder = (valueOfPlaceholder, matchedString
   const _valueOfPlaceholder$s5 = valueOfPlaceholder.split(':'),
     _valueOfPlaceholder$s6 = _slicedToArray(_valueOfPlaceholder$s5, 2),
     filePathOrModule = _valueOfPlaceholder$s6[1];
+
+  // Security check: Prevent path traversal attacks.
+  // Two strategies depending on whether the specifier is a bare module name
+  // (e.g. "@scope/pkg/file.svg") or a relative/absolute path (e.g. "./app.svg").
+  const isModuleName = !_startsWithInstanceProperty__default["default"](filePathOrModule).call(filePathOrModule, '.') && !_startsWithInstanceProperty__default["default"](filePathOrModule).call(filePathOrModule, '/');
+  if (isModuleName) {
+    // Bare module specifiers are resolved by require.resolve through
+    // node_modules, linked packages, or Yarn PnP — all legitimate locations
+    // that may be outside the workspace root (e.g. hoisted deps in CI).
+    // We skip the workspace root check for these, but we must block ".."
+    // segments in the specifier itself — those are the only way to make
+    // require.resolve escape module directories and reach arbitrary files
+    // (e.g. "some-pkg/../../../../etc/passwd" resolves through node_modules
+    // to /etc/passwd).
+    const normalizedSpecifier = path__default$1["default"].posix.normalize(filePathOrModule);
+    if (_startsWithInstanceProperty__default["default"](normalizedSpecifier).call(normalizedSpecifier, '..')) {
+      throw new Error(`Path traversal in module specifiers is not allowed: ${filePathOrModule}`);
+    }
+  }
   const resolvedPath = require.resolve(filePathOrModule, {
     paths: [loadingOptions.applicationPath]
   });
-
-  // Security check: Prevent path traversal attacks.
-  // require.resolve() already provides protection by only resolving modules
-  // accessible from the applicationPath. However, we add an extra layer to
-  // prevent access to sensitive system files outside the workspace.
   const normalizedPath = path__default$1["default"].normalize(resolvedPath);
-  const applicationPath = path__default$1["default"].normalize(loadingOptions.applicationPath);
+  if (!isModuleName) {
+    // For relative/absolute paths, verify the resolved path is within the
+    // workspace root. require.resolve() already provides some protection by
+    // only resolving from applicationPath, but we add an extra layer to
+    // prevent access to sensitive system files outside the workspace.
+    const applicationPath = path__default$1["default"].normalize(loadingOptions.applicationPath);
 
-  // Find workspace root by traversing up from applicationPath until we find
-  // package.json, pnpm-workspace.yaml, or reach root
-  let workspaceRoot = applicationPath;
-  let currentPath = applicationPath;
-  const rootPath = path__default$1["default"].parse(currentPath).root;
-  while (currentPath !== rootPath) {
-    const hasPackageJson = fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'package.json'));
-    const hasWorkspaceConfig = fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'pnpm-workspace.yaml')) || fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'lerna.json'));
-    if (hasPackageJson) {
-      workspaceRoot = currentPath;
-      if (hasWorkspaceConfig) {
-        // Found workspace root
-        break;
+    // Find workspace root by traversing up from applicationPath until we find
+    // package.json, pnpm-workspace.yaml, or reach root
+    let workspaceRoot = applicationPath;
+    let currentPath = applicationPath;
+    const rootPath = path__default$1["default"].parse(currentPath).root;
+    while (currentPath !== rootPath) {
+      const hasPackageJson = fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'package.json'));
+      const hasWorkspaceConfig = fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'pnpm-workspace.yaml')) || fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'lerna.json'));
+      if (hasPackageJson) {
+        workspaceRoot = currentPath;
+        if (hasWorkspaceConfig) {
+          // Found workspace root
+          break;
+        }
       }
+      currentPath = path__default$1["default"].dirname(currentPath);
+    }
+    const relativePath = path__default$1["default"].relative(workspaceRoot, normalizedPath);
+    // Use path.relative() to avoid string prefix vulnerabilities (e.g., "/app" vs "/app-evil")
+    const isSafePath = !_startsWithInstanceProperty__default["default"](relativePath).call(relativePath, '..') && !path__default$1["default"].isAbsolute(relativePath);
+    if (!isSafePath) {
+      throw new Error(`Access to files outside workspace directory is not allowed: ${filePathOrModule}`);
     }
-    currentPath = path__default$1["default"].dirname(currentPath);
-  }
-  const relativePath = path__default$1["default"].relative(workspaceRoot, normalizedPath);
-
-  // Path is safe if it's within the workspace root.
-  // Use path.relative() to avoid string prefix vulnerabilities (e.g., "/app" vs "/app-evil")
-  const isSafePath = !_startsWithInstanceProperty__default["default"](relativePath).call(relativePath, '..') && !path__default$1["default"].isAbsolute(relativePath);
-  if (!isSafePath) {
-    throw new Error(`Access to files outside workspace directory is not allowed: ${filePathOrModule}`);
   }
   const content = fs__default$1["default"].readFileSync(normalizedPath, {
     encoding: 'utf-8'

package/dist/commercetools-frontend-application-config.esm.js

@@ -231,41 +231,59 @@ const substituteFilePathVariablePlaceholder = (valueOfPlaceholder, matchedString
   const _valueOfPlaceholder$s5 = valueOfPlaceholder.split(':'),
     _valueOfPlaceholder$s6 = _slicedToArray(_valueOfPlaceholder$s5, 2),
     filePathOrModule = _valueOfPlaceholder$s6[1];
+
+  // Security check: Prevent path traversal attacks.
+  // Two strategies depending on whether the specifier is a bare module name
+  // (e.g. "@scope/pkg/file.svg") or a relative/absolute path (e.g. "./app.svg").
+  const isModuleName = !_startsWithInstanceProperty(filePathOrModule).call(filePathOrModule, '.') && !_startsWithInstanceProperty(filePathOrModule).call(filePathOrModule, '/');
+  if (isModuleName) {
+    // Bare module specifiers are resolved by require.resolve through
+    // node_modules, linked packages, or Yarn PnP — all legitimate locations
+    // that may be outside the workspace root (e.g. hoisted deps in CI).
+    // We skip the workspace root check for these, but we must block ".."
+    // segments in the specifier itself — those are the only way to make
+    // require.resolve escape module directories and reach arbitrary files
+    // (e.g. "some-pkg/../../../../etc/passwd" resolves through node_modules
+    // to /etc/passwd).
+    const normalizedSpecifier = path$1.posix.normalize(filePathOrModule);
+    if (_startsWithInstanceProperty(normalizedSpecifier).call(normalizedSpecifier, '..')) {
+      throw new Error(`Path traversal in module specifiers is not allowed: ${filePathOrModule}`);
+    }
+  }
   const resolvedPath = require.resolve(filePathOrModule, {
     paths: [loadingOptions.applicationPath]
   });
-
-  // Security check: Prevent path traversal attacks.
-  // require.resolve() already provides protection by only resolving modules
-  // accessible from the applicationPath. However, we add an extra layer to
-  // prevent access to sensitive system files outside the workspace.
   const normalizedPath = path$1.normalize(resolvedPath);
-  const applicationPath = path$1.normalize(loadingOptions.applicationPath);
+  if (!isModuleName) {
+    // For relative/absolute paths, verify the resolved path is within the
+    // workspace root. require.resolve() already provides some protection by
+    // only resolving from applicationPath, but we add an extra layer to
+    // prevent access to sensitive system files outside the workspace.
+    const applicationPath = path$1.normalize(loadingOptions.applicationPath);
 
-  // Find workspace root by traversing up from applicationPath until we find
-  // package.json, pnpm-workspace.yaml, or reach root
-  let workspaceRoot = applicationPath;
-  let currentPath = applicationPath;
-  const rootPath = path$1.parse(currentPath).root;
-  while (currentPath !== rootPath) {
-    const hasPackageJson = fs$1.existsSync(path$1.join(currentPath, 'package.json'));
-    const hasWorkspaceConfig = fs$1.existsSync(path$1.join(currentPath, 'pnpm-workspace.yaml')) || fs$1.existsSync(path$1.join(currentPath, 'lerna.json'));
-    if (hasPackageJson) {
-      workspaceRoot = currentPath;
-      if (hasWorkspaceConfig) {
-        // Found workspace root
-        break;
+    // Find workspace root by traversing up from applicationPath until we find
+    // package.json, pnpm-workspace.yaml, or reach root
+    let workspaceRoot = applicationPath;
+    let currentPath = applicationPath;
+    const rootPath = path$1.parse(currentPath).root;
+    while (currentPath !== rootPath) {
+      const hasPackageJson = fs$1.existsSync(path$1.join(currentPath, 'package.json'));
+      const hasWorkspaceConfig = fs$1.existsSync(path$1.join(currentPath, 'pnpm-workspace.yaml')) || fs$1.existsSync(path$1.join(currentPath, 'lerna.json'));
+      if (hasPackageJson) {
+        workspaceRoot = currentPath;
+        if (hasWorkspaceConfig) {
+          // Found workspace root
+          break;
+        }
       }
+      currentPath = path$1.dirname(currentPath);
+    }
+    const relativePath = path$1.relative(workspaceRoot, normalizedPath);
+    // Use path.relative() to avoid string prefix vulnerabilities (e.g., "/app" vs "/app-evil")
+    const isSafePath = !_startsWithInstanceProperty(relativePath).call(relativePath, '..') && !path$1.isAbsolute(relativePath);
+    if (!isSafePath) {
+      throw new Error(`Access to files outside workspace directory is not allowed: ${filePathOrModule}`);
     }
-    currentPath = path$1.dirname(currentPath);
-  }
-  const relativePath = path$1.relative(workspaceRoot, normalizedPath);
-
-  // Path is safe if it's within the workspace root.
-  // Use path.relative() to avoid string prefix vulnerabilities (e.g., "/app" vs "/app-evil")
-  const isSafePath = !_startsWithInstanceProperty(relativePath).call(relativePath, '..') && !path$1.isAbsolute(relativePath);
-  if (!isSafePath) {
-    throw new Error(`Access to files outside workspace directory is not allowed: ${filePathOrModule}`);
   }
   const content = fs$1.readFileSync(normalizedPath, {
     encoding: 'utf-8'

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@commercetools-frontend/application-config",
-  "version": "27.5.1",
+  "version": "27.5.2",
   "description": "Configuration utilities for building Custom Applications",
   "bugs": "https://github.com/commercetools/merchant-center-application-kit/issues",
   "repository": {
@@ -45,7 +45,7 @@
     "@babel/register": "^7.22.15",
     "@babel/runtime": "^7.22.15",
     "@babel/runtime-corejs3": "^7.22.15",
-    "@commercetools-frontend/constants": "27.5.1",
+    "@commercetools-frontend/constants": "27.5.2",
     "@types/lodash": "^4.14.198",
     "@types/react": "^19.0.3",
     "ajv": "8.18.0",
@@ -60,7 +60,7 @@
   "devDependencies": {
     "@types/jsdom": "^21.1.2",
     "json-schema-to-typescript": "15.0.4",
-    "@commercetools-frontend/assets": "27.5.1"
+    "@commercetools-frontend/assets": "27.5.2"
   },
   "engines": {
     "node": "18.x || 20.x || >=22.0.0"