@mantiq/vite 0.5.22 → 0.6.0

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@mantiq/vite",
-  "version": "0.5.22",
+  "version": "0.6.0",
   "description": "Vite dev server & manifest integration",
   "type": "module",
   "license": "MIT",

package/src/Vite.ts

@@ -421,6 +421,10 @@ export class Vite {
       }
     }
 
+    // Security note: `head` and `ssrHead` are trusted developer-controlled values.
+    // They contain raw HTML tags (meta, link, style) that must NOT be escaped.
+    // Developers are responsible for ensuring no user input is interpolated
+    // into head/ssrHead without proper escaping.
     const headContent = [head, ssrHead].filter(Boolean).join('\n    ')
 
     return `<!DOCTYPE html>

package/src/middleware/ServeStaticFiles.ts

@@ -1,4 +1,5 @@
 import type { Middleware, NextFunction, MantiqRequest } from '@mantiq/core'
+import path from 'node:path'
 import { Vite } from '../Vite.ts'
 
 /**
@@ -43,17 +44,19 @@ export class ServeStaticFiles implements Middleware {
 
     const urlPath = request.path()
 
-    // Prevent directory traversal
-    if (urlPath.includes('..') || urlPath.includes('\0')) {
-      return next()
-    }
-
     // Skip the hot file — it's internal
     if (urlPath === '/hot') {
       return next()
     }
 
-    const filePath = `${this.getPublicDir()}${urlPath}`
+    // Security: resolve the absolute path and verify it stays within publicDir
+    // to prevent directory traversal attacks (including encoded sequences like
+    // %2e%2e, double-encoding, and symlink tricks).
+    const publicDir = path.resolve(this.getPublicDir())
+    const filePath = path.resolve(publicDir, '.' + urlPath)
+    if (!filePath.startsWith(publicDir + path.sep) && filePath !== publicDir) {
+      return next()
+    }
     const file = Bun.file(filePath)
 
     if (await file.exists()) {