Validate bundle stays within output dir (#6277)

When a file would leave the output dir, an error is thrown.

# Conflicts:
#	src/Bundle.ts
#	src/utils/logs.ts
#	src/utils/path.ts

Author: lukastaegert

CHANGELOG.md

@@ -1,5 +1,29 @@
 # rollup changelog
 
+## 2.80.0
+
+_2026-02-22_
+
+### Features
+
+- Throw when the generated bundle contains paths that would leave the output directory (#6277)
+
+### Pull Requests
+
+- [#6277](https://github.com/rollup/rollup/pull/6277): Validate bundle stays within output dir (@lukastaegert)
+
+## 2.79.2
+
+_2024-09-26_
+
+### Bug Fixes
+
+- Resolve CVE-2024-43788 (#5677)
+
+### Pull Requests
+
+- [#5677](https://github.com/rollup/rollup/pull/5677): resolve DOM Clobbering CVE-2024-43788 (backport to v2) (@fabianszabo)
+
 ## 2.79.1
 
 _2022-09-22_

browser/path.ts

@@ -1,4 +1,4 @@
-const ABSOLUTE_PATH_REGEX = /^(?:\/|(?:[A-Za-z]:)?[\\|/])/;
+const ABSOLUTE_PATH_REGEX = /^(?:\/|(?:[A-Za-z]:)?[/\\|])/;
 const RELATIVE_PATH_REGEX = /^\.?\.\//;
 const ALL_BACKSLASHES_REGEX = /\\/g;
 const ANY_SLASH_REGEX = /[/\\]/;
@@ -24,17 +24,42 @@ export function dirname(path: string): string {
 	const match = /[/\\][^/\\]*$/.exec(path);
 	if (!match) return '.';
 
-	const dir = path.slice(0, -match[0].length);
+	const directory = path.slice(0, -match[0].length);
 
-	// If `dir` is the empty string, we're at root.
-	return dir ? dir : '/';
+	// If `directory` is the empty string, we're at root.
+	return directory || '/';
 }
 
 export function extname(path: string): string {
 	const match = EXTNAME_REGEX.exec(basename(path)!);
 	return match ? match[0] : '';
 }
 
+export function join(...segments: string[]): string {
+	const joined = segments.join('/');
+	const absolute = ANY_SLASH_REGEX.test(joined[0]);
+	return (
+		(absolute ? '/' : '') +
+		(normalizePathSegments(joined.split(ANY_SLASH_REGEX), absolute) || (absolute ? '' : '.'))
+	);
+}
+
+function normalizePathSegments(parts: string[], absolute = false): string {
+	const normalized: string[] = [];
+	for (const part of parts) {
+		if (part === '..') {
+			if (normalized.length > 0 && normalized[normalized.length - 1] !== '..') {
+				normalized.pop();
+			} else if (!absolute) {
+				normalized.push('..');
+			}
+		} else if (part !== '.' && part !== '') {
+			normalized.push(part);
+		}
+	}
+	return normalized.join('/');
+}
+
 export function relative(from: string, to: string): string {
 	const fromParts = from.split(ANY_SLASH_REGEX).filter(Boolean);
 	const toParts = to.split(ANY_SLASH_REGEX).filter(Boolean);
@@ -60,28 +85,19 @@ export function relative(from: string, to: string): string {
 }
 
 export function resolve(...paths: string[]): string {
-	const firstPathSegment = paths.shift();
-	if (!firstPathSegment) {
-		return '/';
-	}
-	let resolvedParts = firstPathSegment.split(ANY_SLASH_REGEX);
-
+	let parts: string[] = [];
+	let isAbsoluteResult = false;
 	for (const path of paths) {
 		if (isAbsolute(path)) {
-			resolvedParts = path.split(ANY_SLASH_REGEX);
+			parts = path.split(ANY_SLASH_REGEX);
+			isAbsoluteResult = true;
 		} else {
-			const parts = path.split(ANY_SLASH_REGEX);
-
-			while (parts[0] === '.' || parts[0] === '..') {
-				const part = parts.shift();
-				if (part === '..') {
-					resolvedParts.pop();
-				}
-			}
-
-			resolvedParts.push(...parts);
+			parts.push(...path.split(ANY_SLASH_REGEX));
 		}
 	}
-
-	return resolvedParts.join('/');
+	const normalized = normalizePathSegments(parts, isAbsoluteResult);
+	if (!isAbsoluteResult) return normalized || '/';
+	// Windows absolute paths (e.g. "C:/path") must not get a leading "/" prepended.
+	// Unix absolute paths must start with "/".
+	return /^[A-Za-z]:/.test(normalized) ? normalized : '/' + normalized;
 }

src/Bundle.ts

@@ -18,6 +18,7 @@ import commondir from './utils/commondir';
 import {
 	errCannotAssignModuleToChunk,
 	errChunkInvalid,
+	errFileNameOutsideOutputDirectory,
 	errInvalidOption,
 	error,
 	warnDeprecation
@@ -29,7 +30,7 @@ import {
 	getOutputBundle,
 	OutputBundleWithPlaceholders
 } from './utils/outputBundle';
-import { basename, isAbsolute } from './utils/path';
+import { basename, isAbsolute, join } from './utils/path';
 import { timeEnd, timeStart } from './utils/timers';
 
 export default class Bundle {
@@ -80,6 +81,7 @@ export default class Bundle {
 			isWrite
 		]);
 		this.finaliseAssets(outputBundle);
+		validateOutputBundleFileNames(outputBundle);
 
 		timeEnd('GENERATE', 1);
 		return outputBundleBase;
@@ -335,3 +337,29 @@ function addModuleToManualChunk(
 	}
 	manualChunkAliasByEntry.set(module, alias);
 }
+
+function isFileNameOutsideOutputDirectory(fileName: string): boolean {
+	// Use join() to normalize ".." segments, then replace backslashes so the
+	// string checks below work identically on Windows and POSIX.
+	const normalized = join(fileName).replace(/\\/g, '/');
+	return (
+		normalized === '..' ||
+		normalized.startsWith('../') ||
+		normalized === '.' ||
+		isAbsolute(normalized)
+	);
+}
+
+function validateOutputBundleFileNames(bundle: OutputBundleWithPlaceholders): void {
+	for (const [bundleKey, entry] of Object.entries(bundle)) {
+		if (isFileNameOutsideOutputDirectory(bundleKey)) {
+			return error(errFileNameOutsideOutputDirectory(bundleKey));
+		}
+		if (entry.type !== 'placeholder') {
+			const { fileName } = entry;
+			if (fileName !== bundleKey && isFileNameOutsideOutputDirectory(fileName)) {
+				return error(errFileNameOutsideOutputDirectory(fileName));
+			}
+		}
+	}
+}

src/utils/error.ts

@@ -52,6 +52,7 @@ export const enum Errors {
 	DEPRECATED_FEATURE = 'DEPRECATED_FEATURE',
 	EXTERNAL_SYNTHETIC_EXPORTS = 'EXTERNAL_SYNTHETIC_EXPORTS',
 	FILE_NAME_CONFLICT = 'FILE_NAME_CONFLICT',
+	FILE_NAME_OUTSIDE_OUTPUT_DIRECTORY = 'FILE_NAME_OUTSIDE_OUTPUT_DIRECTORY',
 	FILE_NOT_FOUND = 'FILE_NOT_FOUND',
 	INPUT_HOOK_IN_OUTPUT_PLUGIN = 'INPUT_HOOK_IN_OUTPUT_PLUGIN',
 	INVALID_CHUNK = 'INVALID_CHUNK',
@@ -190,6 +191,13 @@ export function errFileNameConflict(fileName: string): RollupLogProps {
 	};
 }
 
+export function errFileNameOutsideOutputDirectory(fileName: string): RollupLogProps {
+	return {
+		code: Errors.FILE_NAME_OUTSIDE_OUTPUT_DIRECTORY,
+		message: `The output file name "${fileName}" is not contained in the output directory. Make sure all file names are relative paths without ".." segments.`
+	};
+}
+
 export function errInputHookInOutputPlugin(pluginName: string, hookName: string): RollupLogProps {
 	return {
 		code: Errors.INPUT_HOOK_IN_OUTPUT_PLUGIN,

src/utils/path.ts

@@ -15,4 +15,4 @@ export function normalize(path: string): string {
 	return path.replace(BACKSLASH_REGEX, '/');
 }
 
-export { basename, dirname, extname, relative, resolve } from 'path';
+export { basename, dirname, extname, join, relative, resolve } from 'path';

test/browser/samples/error-file-name-absolute-path/_config.js

@@ -0,0 +1,29 @@
+const { loader } = require('../../../utils.js');
+
+module.exports = {
+	description: 'throws when a plugin adds an absolute file name to the output bundle',
+	options: {
+		plugins: [
+			loader({ main: 'export default 42;' }),
+			{
+				name: 'test',
+				generateBundle(_options, bundle) {
+					bundle['/etc/passwd'] = {
+						type: 'asset',
+						fileName: '/etc/passwd',
+						name: undefined,
+						needsCodeReference: false,
+						names: [],
+						originalFileNames: [],
+						source: 'injected'
+					};
+				}
+			}
+		]
+	},
+	generateError: {
+		code: 'FILE_NAME_OUTSIDE_OUTPUT_DIRECTORY',
+		message:
+			'The output file name "/etc/passwd" is not contained in the output directory. Make sure all file names are relative paths without ".." segments.'
+	}
+};

test/browser/samples/error-file-name-path-traversal/_config.js

@@ -0,0 +1,29 @@
+const { loader } = require('../../../utils.js');
+
+module.exports = {
+	description: 'throws when a plugin adds a path traversal file name to the output bundle',
+	options: {
+		plugins: [
+			loader({ main: 'export default 42;' }),
+			{
+				name: 'test',
+				generateBundle(_options, bundle) {
+					bundle['a/../../escaped.js'] = {
+						type: 'asset',
+						fileName: 'a/../../escaped.js',
+						name: undefined,
+						needsCodeReference: false,
+						names: [],
+						originalFileNames: [],
+						source: 'injected'
+					};
+				}
+			}
+		]
+	},
+	generateError: {
+		code: 'FILE_NAME_OUTSIDE_OUTPUT_DIRECTORY',
+		message:
+			'The output file name "a/../../escaped.js" is not contained in the output directory. Make sure all file names are relative paths without ".." segments.'
+	}
+};

test/browser/samples/error-file-name-windows-absolute-path/_config.js

@@ -0,0 +1,29 @@
+const { loader } = require('../../../utils.js');
+
+module.exports = {
+	description: 'throws when a plugin adds a Windows-style absolute file name to the output bundle',
+	options: {
+		plugins: [
+			loader({ main: 'export default 42;' }),
+			{
+				name: 'test',
+				generateBundle(_options, bundle) {
+					bundle['C:\\etc\\passwd'] = {
+						type: 'asset',
+						fileName: 'C:\\etc\\passwd',
+						name: undefined,
+						needsCodeReference: false,
+						names: [],
+						originalFileNames: [],
+						source: 'injected'
+					};
+				}
+			}
+		]
+	},
+	generateError: {
+		code: 'FILE_NAME_OUTSIDE_OUTPUT_DIRECTORY',
+		message:
+			'The output file name "C:\\etc\\passwd" is not contained in the output directory. Make sure all file names are relative paths without ".." segments.'
+	}
+};

test/browser/samples/renormalizes-external-paths-past-root/_config.js

@@ -0,0 +1,39 @@
+const { join, dirname } = require('node:path').posix;
+
+module.exports = {
+	description:
+		'clamps at root when renormalizing external paths that traverse past the root via resolve',
+	options: {
+		input: '/main.js',
+		external(id) {
+			return id.endsWith('ext');
+		},
+		plugins: {
+			name: 'test-plugin',
+			resolveId(source, importer) {
+				if (source.endsWith('ext.js')) {
+					return false;
+				}
+				if (!importer) {
+					return source;
+				}
+				return join(dirname(importer), source);
+			},
+			load(id) {
+				switch (id) {
+					case '/main.js': {
+						// dep.js is at root; the external is imported via '../../escaped-ext.js'
+						// from dep.js — two levels up from '/' — which should clamp to '/escaped-ext.js'
+						return `import './dep.js';`;
+					}
+					case '/dep.js': {
+						return `import '../../escaped-ext.js';`;
+					}
+					default: {
+						throw new Error(`Unexpected id ${id}`);
+					}
+				}
+			}
+		}
+	}
+};

test/browser/samples/renormalizes-external-paths-past-root/_expected/main.js

@@ -0,0 +1 @@
+import './escaped-ext.js';