Skip to content

fix(@angular/build): reject outputPath that escapes workspace root #32986

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
CodeByMoriarty wants to merge 2 commits into
base: main
Choose a base branch
from
+73 −6
Open

fix(@angular/build): reject outputPath that escapes workspace root #32986

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0190945
fix(@angular/build): reject outputPath that escapes workspace root
CodeByMoriarty Apr 10, 2026
858c4d6
test(@angular/build): add output path boundary checks
CodeByMoriarty Apr 12, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 10 additions & 3 deletions packages/angular/build/src/builders/application/options.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -308,14 +308,21 @@ export async function normalizeOptions(
}

const outputPath = options.outputPath ?? path.join(workspaceRoot, 'dist', projectName);
const resolvedOutputBase = path.resolve(
workspaceRoot,
typeof outputPath === 'string' ? outputPath : outputPath.base,
);
if (!resolvedOutputBase.startsWith(workspaceRoot + path.sep)) {
throw new Error(
`Output path '${resolvedOutputBase}' must be inside the project root directory '${workspaceRoot}'.`,
);
}
const outputOptions: NormalizedOutputOptions = {
browser: 'browser',
server: 'server',
media: 'media',
...(typeof outputPath === 'string' ? undefined : outputPath),
base: normalizeDirectoryPath(
path.resolve(workspaceRoot, typeof outputPath === 'string' ? outputPath : outputPath.base),
),
base: normalizeDirectoryPath(resolvedOutputBase),
clean: options.deleteOutputPath ?? true,
// For app-shell and SSG server files are not required by users.
// Omit these when SSR is not enabled.
Expand Down
16 changes: 16 additions & 0 deletions packages/angular/build/src/builders/application/tests/options/output-path_spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -260,6 +260,22 @@ describeBuilder(buildApplication, APPLICATION_BUILDER_INFO, (harness) => {
}),
);
});

it('should error when the output path escapes the workspace root', async () => {
harness.useTarget('build', {
...BASE_OPTIONS,
polyfills: [],
outputPath: '../dist',
});

const { result, error } = await harness.executeOnce({
outputLogsOnException: false,
outputLogsOnFailure: false,
});

expect(result).toBeUndefined();
expect(error?.message).toMatch(/must be inside the project root directory/);
});
});
});
});
12 changes: 9 additions & 3 deletions packages/angular/build/src/utils/delete-output-dir.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -7,20 +7,26 @@
*/

import { readdir, rm } from 'node:fs/promises';
import { join, resolve } from 'node:path';
import { join, resolve, sep } from 'node:path';

/**
* Delete an output directory, but error out if it's the root of the project.
* Delete an output directory, but error out if it's the root of the project or outside it.
*/
export async function deleteOutputDir(
root: string,
outputPath: string,
emptyOnlyDirectories?: string[],
): Promise<void> {
const resolvedRoot = resolve(root);
const resolvedOutputPath = resolve(root, outputPath);
if (resolvedOutputPath === root) {
if (resolvedOutputPath === resolvedRoot) {
throw new Error('Output path MUST not be project root directory!');
}
if (!resolvedOutputPath.startsWith(resolvedRoot + sep)) {
throw new Error(
`Output path '${resolvedOutputPath}' MUST be inside the project root '${resolvedRoot}'.`,
);
}

const directoriesToEmpty = emptyOnlyDirectories
? new Set(emptyOnlyDirectories.map((directory) => join(resolvedOutputPath, directory)))
Expand Down
38 changes: 38 additions & 0 deletions packages/angular/build/src/utils/delete-output-dir_spec.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,38 @@
/**
* @license
* Copyright Google LLC All Rights Reserved.
*
* Use of this source code is governed by an MIT-style license that can be
* found in the LICENSE file at https://angular.dev/license
*/

import { mkdir, mkdtemp, rm, writeFile } from 'node:fs/promises';
import { tmpdir } from 'node:os';
import { join } from 'node:path';
import { deleteOutputDir } from './delete-output-dir';

describe('deleteOutputDir', () => {
let workspaceRoot: string;

beforeEach(async () => {
workspaceRoot = await mkdtemp(join(tmpdir(), 'angular-cli-test-'));
await mkdir(join(workspaceRoot, 'dist'), { recursive: true });
await writeFile(join(workspaceRoot, 'dist', 'file.txt'), 'test');
});

afterEach(async () => {
await rm(workspaceRoot, { recursive: true, force: true });
});

it('should reject deleting the project root directory', async () => {
await expectAsync(deleteOutputDir(workspaceRoot, '.')).toBeRejectedWithError(
'Output path MUST not be project root directory!',
);
});

it('should reject deleting a path outside the project root', async () => {
await expectAsync(deleteOutputDir(workspaceRoot, '..')).toBeRejectedWithError(
new RegExp(`Output path '.*' MUST be inside the project root '${workspaceRoot}'.`),
);
});
});
Loading