fix: ensure CDN URL is only applied to asset files and improve replacement script security

2026-01-09 15:38:03 -05:00 · 2025-12-12 12:22:52 -03:00
parent 288df1adfd
commit 7502cd8517
2 changed files with 6 additions and 3 deletions
--- a/frontend/scripts/replace-standalone-build-variable.sh
+++ b/frontend/scripts/replace-standalone-build-variable.sh
@@ -10,13 +10,16 @@ fi

 echo "Replacing pre-baked value.."

+# Escape special characters in REPLACEMENT for sed to avoid regex issues and injection attacks
+ESCAPED_REPLACEMENT=$(printf '%s\n' "$REPLACEMENT" | sed 's/[\/&]/\\&/g')
+
 # Replace in JS files in assets directory
 find assets -type f -name "*.js" |
 while read file; do
-    sed -i "s|$ORIGINAL|$REPLACEMENT|g" "$file"
+    sed -i "s|$ORIGINAL|$ESCAPED_REPLACEMENT|g" "$file"
 done

 # Replace in index.html (for asset references)
 if [ -f "index.html" ]; then
-    sed -i "s|$ORIGINAL|$REPLACEMENT|g" "index.html"
+    sed -i "s|$ORIGINAL|$ESCAPED_REPLACEMENT|g" "index.html"
 fi
--- a/frontend/vite.config.ts
+++ b/frontend/vite.config.ts
@@ -62,7 +62,7 @@ export default defineConfig(({ mode }) => {
    experimental: {
      // Only apply CDN URL to files in /assets/* directory
      renderBuiltUrl(filename) {
-        if (filename.startsWith("assets/")) {
+        if (filename.startsWith("assets/") && cdnUrl) {
          return `${cdnUrl}/${filename}`;
        }
        return `/${filename}`;