fix(remix-dev/vite): validate server bundle IDs (#8598)

remix-run · Jan 25, 2024 · 6ec38fa · 6ec38fa
1 parent 2f05fd2
commit 6ec38fa
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 0 deletions.
diff --git a/.changeset/cyan-dingos-care.md b/.changeset/cyan-dingos-care.md
@@ -0,0 +1,5 @@
+---
+"@remix-run/dev": patch
+---
+
+Vite: Validate IDs returned from the `serverBundles` function to ensure they only contain alphanumeric characters, hyphens and underscores
diff --git a/packages/remix-dev/vite/build.ts b/packages/remix-dev/vite/build.ts
@@ -155,6 +155,11 @@ async function getServerBuilds(ctx: RemixPluginContext): Promise<{
       if (typeof serverBundleId !== "string") {
         throw new Error(`The "serverBundles" function must return a string`);
       }
+      if (!/^[a-zA-Z0-9-_]+$/.test(serverBundleId)) {
+        throw new Error(
+          `The "serverBundles" function must only return strings containing alphanumeric characters, hyphens and underscores.`
+        );
+      }
       buildManifest.routeIdToServerBundleId[route.id] = serverBundleId;
 
       let relativeServerBundleDirectory = path.relative(