-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple slashes can bypass null
exports path
#44316
Comments
I'm able to reproduce on v19.0.0-pre. |
Seeing node/lib/internal/modules/esm/resolve.js Lines 570 to 578 in a99fa50
/cc @nodejs/loaders @nodejs/modules |
I think that's intended, IIRC everything related to That being said, I agree that we should fix this, using one or more slashes should give the same result. |
Version
v16.17.0
Platform
macOS 12.4
Subsystem
No response
Description
Setting
null
on an export path can be used to exclude private directories from being exposed (Node.js docs):Although this works to prevent an import like this:
It can be circumvented by using multiple slashes:
In UNIX, multiple consecutive slashes are treated as a single slash.
What steps will reproduce the bug?
StackBlitz reproduction
https://stackblitz.com/edit/node-auughm?file=index.js
Reproduction repo link
https://github.com/privatenumber/issue-reproductions/tree/master/reproductions/nodejs/node/44316
Steps
node_modules/package/package.json
:node_modules/package/internal/file.js
:index.mjs
:node ./index.mjs
How often does it reproduce? Is there a required condition?
Always. No environmental conditions. Just multiple slashes in import paths.
What is the expected behavior?
For
import 'package//internal/file.js'
to not resolve.What do you see instead?
It resolves.
Additional information
No response
The text was updated successfully, but these errors were encountered: