Skip to content

fix(ng-dev/release): validate .nvmrc and resolved node path in invokeNvmInstall#3753

Merged
josephperrott merged 1 commit into
angular:mainfrom
josephperrott:fix/sec-nvm-path-hijack-436c969b
Jun 8, 2026
Merged

fix(ng-dev/release): validate .nvmrc and resolved node path in invokeNvmInstall#3753
josephperrott merged 1 commit into
angular:mainfrom
josephperrott:fix/sec-nvm-path-hijack-436c969b

Conversation

@josephperrott
Copy link
Copy Markdown
Member

@josephperrott josephperrott commented Jun 6, 2026

This PR resolves a PATH hijacking vulnerability in the release publishing tool.

Changes

  • Validated that .nvmrc version content matches a valid version pattern.
  • Validated that the node binary path resolved by nvm which points under the home directory (~/.nvm).
  • Added unit tests in ng-dev/release/publish/test/external-commands.spec.ts.
  • Verified changes by running bazel test //ng-dev/release/publish/test:test.

Vulnerability: 436c969b

@josephperrott josephperrott added the action: merge The PR is ready for merge by the caretaker label Jun 6, 2026
@josephperrott josephperrott requested a review from alan-agius4 June 6, 2026 00:40
gemini-code-assist[bot]
gemini-code-assist Bot reviewed Jun 6, 2026
View reviewed changes
Copy link
Copy Markdown

@gemini-code-assist gemini-code-assist Bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request introduces several security enhancements, including preventing script injection in GitHub Actions by using environment variables, securing artifact metadata injection against symbolic link and TOCTOU attacks, and validating .nvmrc contents and resolved Node.js paths in ExternalCommands to prevent command injection and path traversal. Feedback on the changes highlights a vulnerability in the path validation logic where using startsWith could allow partial path traversal (e.g., /home/user matching /home/user_attacker). The reviewer suggests using path.relative and path.isAbsolute to perform robust, path-segment-aware validation.

Comment thread ng-dev/release/publish/external-commands.ts
Comment thread ng-dev/release/publish/external-commands.ts
@josephperrott josephperrott force-pushed the fix/sec-nvm-path-hijack-436c969b branch from db84f8a to 588ec54 Compare June 6, 2026 00:49
@josephperrott
fix(ng-dev/release): validate .nvmrc and resolved node path in invoke…
6ef3fc8 
…NvmInstall

Validates the version string read from .nvmrc to ensure it matches a
valid version pattern and does not contain path traversal characters.
Also resolves the absolute path of the node binary returned from
'nvm which' and asserts that it resides under the home directory
(e.g., ~/.nvm) rather than inside the project checkout or an untrusted
path. This prevents RCE via PATH hijacking.
Added unit tests in ng-dev/release/publish/test/external-commands.spec.ts
to verify validation behavior with valid and malicious inputs.

Vulnerability: 436c969b
@josephperrott josephperrott force-pushed the fix/sec-nvm-path-hijack-436c969b branch from 588ec54 to 6ef3fc8 Compare June 6, 2026 00:56
@josephperrott josephperrott merged commit 532e7b1 into angular:main Jun 8, 2026
16 checks passed
@josephperrott
Copy link
Copy Markdown
Member Author

josephperrott commented Jun 8, 2026

This PR was merged into the repository. The changes were merged into the following branches:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@alan-agius4 alan-agius4 alan-agius4 approved these changes

+1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

action: merge The PR is ready for merge by the caretaker

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@josephperrott @alan-agius4