@pyreon/zero 0.18.0 → 0.20.0

package/src/ssg-plugin.ts

@@ -23,7 +23,7 @@
 
 import { existsSync } from 'node:fs'
 import { mkdir, readFile, rename, rm, unlink, writeFile } from 'node:fs/promises'
-import { dirname, join, resolve } from 'node:path'
+import { dirname, join, resolve, sep } from 'node:path'
 import { pathToFileURL } from 'node:url'
 import type { Plugin } from 'vite'
 import { resolveAdapter } from './adapters'
@@ -373,6 +373,25 @@ export function expandUrlPattern(pattern: string, params: Record<string, string>
           `[zero:ssg] getStaticPaths for "${pattern}" returned params without "${name}"`,
         )
       }
+      // Path-escape guard. The value is substituted verbatim into the
+      // URL that becomes a `dist/<path>/index.html` write target. A
+      // single (non-catch-all) `:slug` is ONE segment — a value
+      // containing `/` or being `.`/`..` (e.g. an unsanitized CMS slug
+      // `../../secret`) would escape the intended structure and write
+      // outside it. Catch-all `:slug*` legitimately spans segments
+      // (`a/b/c`), so it's exempt from the `/` check but still rejects
+      // `.`/`..` traversal segments.
+      const segs = isCatchAll ? value.split('/') : [value]
+      if (
+        (!isCatchAll && value.includes('/')) ||
+        segs.some((s) => s === '.' || s === '..')
+      ) {
+        throw new Error(
+          `[zero:ssg] getStaticPaths for "${pattern}" produced an unsafe "${name}" value ` +
+            `(${JSON.stringify(value)}): a ${isCatchAll ? 'catch-all' : 'dynamic'} segment ` +
+            `must not contain path-traversal ("." / "..")${isCatchAll ? '' : ' or "/"'}.`,
+        )
+      }
       return value
     })
     .join('/')
@@ -443,10 +462,17 @@ async function autoDetectStaticPaths(
     }
   }
 
+  // Dedup (order-preserving). The same concrete path can be produced
+  // more than once — a `getStaticPaths` returning a duplicate slug, or
+  // i18n route fan-out colliding — which otherwise renders the same
+  // `dist/<path>/index.html` twice (wasted work + last-write race) and
+  // feeds a duplicate `<url>` into the SSG→sitemap merge.
+  const deduped = [...new Set(out)]
+
   // Always include "/" as a fallback if no static routes were found —
   // a project with only dynamic routes still needs an index.html for the
   // host to know where to send unmatched URLs.
-  return out.length > 0 ? out : ['/']
+  return deduped.length > 0 ? deduped : ['/']
 }
 
 async function resolvePaths(
@@ -598,6 +624,21 @@ function resolveOutputPath(distDir: string, path: string): string {
   return join(distDir, path, 'index.html')
 }
 
+/**
+ * Path-containment check that is SEPARATOR-TERMINATED. A bare
+ * `resolve(filePath).startsWith(resolve(distDir))` is a string-prefix
+ * test, not a path test: with distDir `/app/dist`, a traversed filePath
+ * resolving to the SIBLING `/app/dist-evil/x` passes
+ * `'/app/dist-evil/x'.startsWith('/app/dist')` → true and the build
+ * writes outside the intended output root. `path` derives from caller
+ * route params (CMS slugs via `getStaticPaths`), so this is reachable.
+ */
+function isInsideDist(distDir: string, filePath: string): boolean {
+  const root = resolve(distDir)
+  const target = resolve(filePath)
+  return target === root || target.startsWith(root + sep)
+}
+
 // ─── Redirect emission (PR B) ──────────────────────────────────────────────
 //
 // The shape returned by the SSG entry's renderPath when a loader throws
@@ -1128,8 +1169,7 @@ export function ssgPlugin(userConfig: ZeroConfig = {}): Plugin {
 
             if (config.ssg?.redirectsAsHtml === 'meta-refresh') {
               const filePath = resolveOutputPath(distDir, p)
-              const resolvedOut = resolve(distDir)
-              if (!resolve(filePath).startsWith(resolvedOut)) {
+              if (!isInsideDist(distDir, filePath)) {
                 errors.push({ path: p, error: new Error(`Path traversal detected: "${p}"`) })
                 return
               }
@@ -1144,8 +1184,7 @@ export function ssgPlugin(userConfig: ZeroConfig = {}): Plugin {
           const filePath = resolveOutputPath(distDir, p)
 
           // Path-traversal guard — same as @pyreon/server's prerender.
-          const resolvedOut = resolve(distDir)
-          if (!resolve(filePath).startsWith(resolvedOut)) {
+          if (!isInsideDist(distDir, filePath)) {
             errors.push({ path: p, error: new Error(`Path traversal detected: "${p}"`) })
             return
           }
@@ -1174,8 +1213,7 @@ export function ssgPlugin(userConfig: ZeroConfig = {}): Plugin {
               const fallbackHtml = await config.ssg.onPathError(p, error)
               if (typeof fallbackHtml === 'string') {
                 const filePath = resolveOutputPath(distDir, p)
-                const resolvedOut = resolve(distDir)
-                if (!resolve(filePath).startsWith(resolvedOut)) {
+                if (!isInsideDist(distDir, filePath)) {
                   errors.push({ path: p, error: new Error(`Path traversal detected: "${p}"`) })
                   return
                 }
@@ -1505,6 +1543,7 @@ export const _internal = {
   resolvePaths,
   autoDetectStaticPaths,
   resolveOutputPath,
+  isInsideDist,
   expandUrlPattern,
   injectIntoTemplate,
   renderNetlifyRedirects,

package/src/types.ts

@@ -58,6 +58,15 @@ export interface ISRConfig {
    * space (e.g. `/user/:id` where `:id` is free-form).
    */
   maxEntries?: number
+  /**
+   * Max wall-time (ms) for a single background revalidation before it is
+   * abandoned. Without a bound, a handler that hangs leaves its key
+   * pinned in the in-flight set forever — every later request for that
+   * key short-circuits the de-dupe guard and the entry can never
+   * recover from stale. Default: `30000` (matches the Suspense
+   * streaming timeout).
+   */
+  revalidateTimeoutMs?: number
   /**
    * Cache-key derivation function. The default keys cache entries by
    * `url.pathname` ONLY — query strings, cookies, and headers are