From: Michał Gołębiowski-Owczarek <m.goleb@gmail.com>
Date: Mon, 28 Oct 2024 15:47:29 +0000 (+0100)
Subject: Build: Fix an XSS in the test server HTML serving logic
X-Git-Tag: 1.14.1~4
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=85bed8ddd893390fd41bd7e93d2a44a1b5d9b885;p=jquery-ui.git

Build: Fix an XSS in the test server HTML serving logic

The test server has a rule for `/tests/unit/*/*.html` paths that serves
a proper local file. However, the parameters after `/unit/` so far accepted
many characters that have special meaning, leading to possibly reading a file
from outside of the Git repository. Fix that by only accepting alphanumeric
characters, `-` or `_`.

This should resolve one CodeQL alert.

Closes gh-2309
---

diff --git a/tests/runner/createTestServer.js b/tests/runner/createTestServer.js
index 67770c71d..875e6d3b1 100644
--- a/tests/runner/createTestServer.js
+++ b/tests/runner/createTestServer.js
@@ -22,7 +22,7 @@ export async function createTestServer( report ) {
 	} );
 
 	// Add a script tag to HTML pages to load the QUnit listeners
-	app.use( /\/tests\/unit\/([^/]+)\/\1\.html$/, async( req, res ) => {
+	app.use( /\/tests\/unit\/([a-zA-Z0-9_-]+)\/\1\.html$/, async( req, res ) => {
 		const html = await readFile(
 			`tests/unit/${ req.params[ 0 ] }/${ req.params[ 0 ] }.html`,
 			"utf8"