fix: directory boundary check with trailing separator + cross-dir sourcemap header

BYK · BYK · commit b81bb5b24df5 · 2026-04-30T18:26:45.000Z
1. startsWith(absDir) now uses absDir + '/' to prevent prefix
   collisions (e.g. /dist matching /dist-backup).
2. sourcemapFilename now uses relative path from JS dir to map file
   instead of bare basename, so cross-directory maps link correctly
   in the Sourcemap header.
diff --git a/src/commands/sourcemap/upload.ts b/src/commands/sourcemap/upload.ts
@@ -6,7 +6,7 @@
  * env vars, config defaults) — no slash-separated arg parsing needed.
  */
 
-import { basename, relative, resolve } from "node:path";
+import { dirname, relative, resolve } from "node:path";
 import type { SentryContext } from "../../context.js";
 import {
   type ArtifactFile,
@@ -309,7 +309,13 @@ export const uploadCommand = buildCommand({
           mapRelative = stripPrefix(mapRelative, pathPrefixToStrip);
         }
 
-        const mapBasename = basename(mapPath);
+        // Sourcemap header is resolved relative to the JS file's URL.
+        // Use relative path from JS dir to map file so cross-directory
+        // maps (e.g. maps/bundle.js.map) link correctly.
+        const sourcemapRef = relative(dirname(jsPath), mapPath).replaceAll(
+          "\\",
+          "/"
+        );
         return [
           {
             path: jsPath,
@@ -318,7 +324,7 @@ export const uploadCommand = buildCommand({
             ...(debugId ? { debugId } : {}),
             type: "minified_source" as const,
             url: `${urlPrefix}${jsRelative}`,
-            sourcemapFilename: mapBasename,
+            sourcemapFilename: sourcemapRef,
           },
           {
             path: mapPath,
diff --git a/src/lib/sourcemap/inject.ts b/src/lib/sourcemap/inject.ts
@@ -297,7 +297,9 @@ export async function discoverFilePairs(
       // Guard against sourceMappingURL directives that resolve outside the
       // upload directory (e.g. "../../other/app.js.map"). Convention-based
       // maps (foo.js.map) are always adjacent so they're inherently safe.
-      if (!mapPath.startsWith(absDir)) {
+      // Trailing separator prevents prefix collisions (e.g. /dist vs /dist-backup).
+      const dirPrefix = absDir.endsWith("/") ? absDir : `${absDir}/`;
+      if (!mapPath.startsWith(dirPrefix)) {
         log.debug(
           `skipping sourcemap outside directory: ${mapPath} (resolved from ${entry.absolutePath})`
         );
