* Use file name whitelist to prevent RCE
Use a whitelist to validate user-provided file names. This doesn't cover
the entire range of valid filenames but should cover almost all of them
in practice. Allows letters, numbers, periods, dashes, and underscores.
Opting to use a whitelist instead of a blacklist because getting this
wrong leaves us vulnerable to a RCE attack.
* Allow alphabet characters from all languages
Updated the whitelist to /^[\p{L}0-9/.\-_]+$/u, which matches
alphanumeric characters, periods, dashes, and underscores. Unicode
property support is stage 4 so I've inlined the transpiled version.
* Only use file name whitelist on Windows
* Log error message if file name does not pass whitelist
* Use file name whitelist to prevent RCE
Use a whitelist to validate user-provided file names. This doesn't cover
the entire range of valid filenames but should cover almost all of them
in practice. Allows letters, numbers, periods, dashes, and underscores.
Opting to use a whitelist instead of a blacklist because getting this
wrong leaves us vulnerable to a RCE attack.
* Allow alphabet characters from all languages
Updated the whitelist to /^[\p{L}0-9/.\-_]+$/u, which matches
alphanumeric characters, periods, dashes, and underscores. Unicode
property support is stage 4 so I've inlined the transpiled version.
* Only use file name whitelist on Windows
* Log error message if file name does not pass whitelist
* support scoped packages for cra --scripts-version option
* seperate out kitchensink test
* add eject to node 6 testing
* travis node 6 eject
* fix CI warnings
To analyze Webpack bundles, a "stats" JSON is required.
This PR allows that file to be created and saved to the `build`
directory, so that users can use it with Webpack-specific insight
tools like `webpack-bundle-analyzer` without ejecting their
application.
Updated the README to include details for how to do this.
* Update paths.js, rename shadow path variable
This file requires the "path" module and sets it to a variable `path`. The function `ensureSlash` also has a variable `path` that then shadows the `path` module.
* Update paths.js
* Removes Chokidar Recursive Flag
According to the changelog it is not necessary anymore as it doesn't do anything.
* Removes initial build on SCSS watch
Chokidar now does this on it's own.
* Removes sass watch recursive, default include-path
as proposed by @michaelwayman
* Removes another left-over build-css
Support for .mjs files added in #3239 did not account for npm libraries which ship native mjs files alongside js files. This accounts for this by ensuring .js files resolve before their accompanying .mjs file. Note that this is not an ideal end state since selecting a .mjs over a .js extension should be the result of whether `import` was used instead of `require()` in a node environment with native ESM support (currently via `--experimental-modules`). Instead, this change just *always* selects a .js extension before the .mjs extension if it exists.
This unbreaks support for using GraphQL (relay, apollo, etc) within create-react-app projects.
* - [x] Upgrade to webpack 4.8.X
- [x] Utilize webpack 4 development and production modes
- [x] Upgrade webpack dev server
- [x] Webpack 4 compatible release of thread-loader
- [x] Webpack 4 compatible release of HtmlWebpackPlugin
- [x] Webpack 4 compatible release of SwPrecacheWebpackPlugin
- [x] Webpack 4 compatible release of WebpackManifestPlugin
- [x] Update README
- [x] Update WebpackDevServerUtils
- [x] Update InterpolateHtmlPlugin
- [x] Update ModuleScopePlugin
- [x] Update WatchMissingNodeModulesPlugin
- [x] Move UglifyJS options to webpack 4 optimize
- [x] Move InterpolateHtmlPlugin to make it tapable on HtmlWebpackPlugin
- [x] vendor splitting via splitChunks.splitChunks (https://twitter.com/wSokra/status/969633336732905474)
- [x] long term caching via splitChunks.runtimeChunk (https://twitter.com/wSokra/status/969679223278505985)
- [x] Make sure process.env.NODE_ENV is proxied correctly to `react-error-overlay`
- [x] Implicit webpack.NamedModulesPlugin in dev config as its default in webpack 4
- [x] Disable webpack performance hints as we have our own filesize reporter
- [x] Replace ExtractTextPlugin with MiniCssExtractPlugin
- [x] Switch to css whole file minification via OptimizeCSSAssetsPlugin rather than per module css minification to gain performance
* disable module concatenation
* fix cleanup
* fix optimization
* restore tmp removal
* preserve
* fix css tests
* fix test run
* fix svg test
* revert tmp dir
* fix import
* fix import
* help debugging
* fix tests
* fix sass test
* restore cleanup
- [x] Utilize webpack 4 development and production modes
- [x] Upgrade webpack dev server
- [x] Webpack 4 compatible release of thread-loader
- [x] Webpack 4 compatible release of HtmlWebpackPlugin
- [x] Webpack 4 compatible release of SwPrecacheWebpackPlugin
- [x] Webpack 4 compatible release of WebpackManifestPlugin
- [x] Update README
- [x] Update WebpackDevServerUtils
- [x] Update InterpolateHtmlPlugin
- [x] Update ModuleScopePlugin
- [x] Update WatchMissingNodeModulesPlugin
- [x] Move UglifyJS options to webpack 4 optimize
- [x] Move InterpolateHtmlPlugin to make it tapable on HtmlWebpackPlugin
- [x] vendor splitting via splitChunks.splitChunks (https://twitter.com/wSokra/status/969633336732905474)
- [x] long term caching via splitChunks.runtimeChunk (https://twitter.com/wSokra/status/969679223278505985)
- [x] Make sure process.env.NODE_ENV is proxied correctly to `react-error-overlay`
- [x] Implicit webpack.NamedModulesPlugin in dev config as its default in webpack 4
- [x] Disable webpack performance hints as we have our own filesize reporter
- [x] Replace ExtractTextPlugin with MiniCssExtractPlugin
- [x] Switch to css whole file minification via OptimizeCSSAssetsPlugin rather than per module css minification to gain performance
Summary:
The `hasSlash` method uses `path.substr(path, path.length - 1)` to
remove the last character from `path`. Clearly, the first parameter is
suspect; it should be `0`. The code works as written, but only very
accidentally: the first parameter is coerced by `ToNumber` to `NaN`,
which is then coerced by `ToInteger` to `+0`, per [the spec][1].
[1]: https://www.ecma-international.org/ecma-262/6.0/#sec-string.prototype.substr
Test Plan:
Reading the spec should be sufficient. To verify in the Real World:
```js
const path = "has-slash-but-does-not-need-slash/"
const a = path.substr(path, path.length - 1);
const b = path.substr(0, path.length - 1);
console.log(a === b); // true
console.log(a); // has-slash-but-does-not-need-slash
```
wchargin-branch: ensureslash-accidental-coercion
