From 6ec38fac97e4f97308529a91528aa040ce85421d Mon Sep 17 00:00:00 2001
From: Mark Dalgleish <mark.john.dalgleish@gmail.com>
Date: Thu, 25 Jan 2024 13:45:08 +1100
Subject: [PATCH] fix(remix-dev/vite): validate server bundle IDs (#8598)

---
 .changeset/cyan-dingos-care.md   | 5 +++++
 packages/remix-dev/vite/build.ts | 5 +++++
 2 files changed, 10 insertions(+)
 create mode 100644 .changeset/cyan-dingos-care.md

diff --git a/.changeset/cyan-dingos-care.md b/.changeset/cyan-dingos-care.md
new file mode 100644
index 00000000000..4ea13750e6e
--- /dev/null
+++ b/.changeset/cyan-dingos-care.md
@@ -0,0 +1,5 @@
+---
+"@remix-run/dev": patch
+---
+
+Vite: Validate IDs returned from the `serverBundles` function to ensure they only contain alphanumeric characters, hyphens and underscores
diff --git a/packages/remix-dev/vite/build.ts b/packages/remix-dev/vite/build.ts
index 2bddd8a246a..3863cca20ee 100644
--- a/packages/remix-dev/vite/build.ts
+++ b/packages/remix-dev/vite/build.ts
@@ -155,6 +155,11 @@ async function getServerBuilds(ctx: RemixPluginContext): Promise<{
       if (typeof serverBundleId !== "string") {
         throw new Error(`The "serverBundles" function must return a string`);
       }
+      if (!/^[a-zA-Z0-9-_]+$/.test(serverBundleId)) {
+        throw new Error(
+          `The "serverBundles" function must only return strings containing alphanumeric characters, hyphens and underscores.`
+        );
+      }
       buildManifest.routeIdToServerBundleId[route.id] = serverBundleId;
 
       let relativeServerBundleDirectory = path.relative(