Skip to content

chore: update enhanced test tool #4252

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
2heal1 wants to merge 1 commit into
base: main
Choose a base branch
from
Open

chore: update enhanced test tool #4252

2heal1 wants to merge 1 commit into from

Conversation

@2heal1
Copy link
Member

@2heal1 2heal1 commented Dec 4, 2025

Description

Related Issue

Types of changes

  • Docs change / refactoring / dependency upgrade
  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)

Checklist

  • I have added tests to cover my changes.
  • All new and existing tests passed.
  • I have updated the documentation.

@changeset-bot
Copy link

changeset-bot bot commented Dec 4, 2025

⚠️ No Changeset found

Latest commit: 1745fd9

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@netlify
Copy link

netlify bot commented Dec 4, 2025
edited
Loading

Deploy Preview for module-federation-docs ready!

Name Link
🔨 Latest commit 1745fd9
🔍 Latest deploy log https://app.netlify.com/projects/module-federation-docs/deploys/69314c4519fd5300083038f6
😎 Deploy Preview https://deploy-preview-4252--module-federation-docs.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

github-advanced-security[bot]
github-advanced-security bot found potential problems Dec 4, 2025
View reviewed changes
packages/enhanced/test/ConfigTestCases.rstest.ts
);
const code = `(function(${args.join(
', ',
)}) {${content}\n})`;

Check warning

Code scanning / CodeQL

Improper code sanitization Medium test

Code construction depends on an
improperly sanitized value
Loading
.

Copilot Autofix

AI 8 days ago

To fix the improper code sanitization, we need to ensure that values interpolated into generated JavaScript code (here, as part of require(...) in content) are properly sanitized and any potentially dangerous characters are escaped. Following the recommendation, we should define a function (e.g., escapeUnsafeChars) that escapes characters like <, >, /, \, and other relevant Unicode/control chars after running JSON.stringify. We will update line 783 so that instead of just JSON.stringify('./' + arg), we run this escape function on the result. This means:

  • Add a helper escape function (e.g., escapeUnsafeChars) in this file.
  • Change the string interpolation in the mapping on line 783 to embed the escaped string instead.
  • No other code needs to be changed.

This fix is fully contained in packages/enhanced/test/ConfigTestCases.rstest.ts, and only requires code additions and a small refactor to the mapping logic.

Suggested changeset 1
packages/enhanced/test/ConfigTestCases.rstest.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/enhanced/test/ConfigTestCases.rstest.ts b/packages/enhanced/test/ConfigTestCases.rstest.ts
--- a/packages/enhanced/test/ConfigTestCases.rstest.ts
+++ b/packages/enhanced/test/ConfigTestCases.rstest.ts
@@ -14,6 +14,26 @@
   rs,
 } from '@rstest/core';
 
+// Escape potentially dangerous characters for insertion into generated JS code
+const charMap: { [key: string]: string } = {
+  '<': '\\u003C',
+  '>': '\\u003E',
+  '/': '\\u002F',
+  '\\': '\\\\',
+  '\b': '\\b',
+  '\f': '\\f',
+  '\n': '\\n',
+  '\r': '\\r',
+  '\t': '\\t',
+  '\0': '\\0',
+  '\u2028': '\\u2028',
+  '\u2029': '\\u2029'
+};
+function escapeUnsafeChars(str: string): string {
+  // Only escape characters appearing in charMap
+  return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029\\/]/g, x => charMap[x] || x);
+}
+
 // 预热 webpack(与原逻辑一致)
 require('./helpers/warmup-webpack');
 
@@ -780,7 +800,7 @@
                             content = `module.exports = (${module
                               .map(
                                 (arg: any) =>
-                                  `require(${JSON.stringify(`./${arg}`)})`,
+                                  `require(${escapeUnsafeChars(JSON.stringify(`./${arg}`))})`,
                               )
                               .join(', ')});`;
                           } else {
EOF
@@ -14,6 +14,26 @@
rs,
} from '@rstest/core';

// Escape potentially dangerous characters for insertion into generated JS code
const charMap: { [key: string]: string } = {
'<': '\\u003C',
'>': '\\u003E',
'/': '\\u002F',
'\\': '\\\\',
'\b': '\\b',
'\f': '\\f',
'\n': '\\n',
'\r': '\\r',
'\t': '\\t',
'\0': '\\0',
'\u2028': '\\u2028',
'\u2029': '\\u2029'
};
function escapeUnsafeChars(str: string): string {
// Only escape characters appearing in charMap
return str.replace(/[<>\b\f\n\r\t\0\u2028\u2029\\/]/g, x => charMap[x] || x);
}

// 预热 webpack(与原逻辑一致)
require('./helpers/warmup-webpack');

@@ -780,7 +800,7 @@
content = `module.exports = (${module
.map(
(arg: any) =>
`require(${JSON.stringify(`./${arg}`)})`,
`require(${escapeUnsafeChars(JSON.stringify(`./${arg}`))})`,
)
.join(', ')});`;
} else {
Copilot is powered by AI and may make mistakes. Always verify output.
packages/enhanced/test/ConfigTestCases.vitest.ts
);
const code = `(function(${args.join(
', ',
)}) {${content}\n})`;

Check warning

Code scanning / CodeQL

Improper code sanitization Medium test

Code construction depends on an
improperly sanitized value
Loading
.

Copilot Autofix

AI 8 days ago

To fix this issue, we should fully sanitize all strings that will be injected into executable code, not relying solely on JSON.stringify. As per recommended patterns (and CodeQL docs), we should introduce an escape function that replaces potentially dangerous characters (e.g. <, >, /, \, and line breaks) with safe escape sequences before including them.
Specifically:

  1. Implement an escapeUnsafeChars function in the relevant region of the file.
  2. In the dynamic code construction at line 783, wrap the output of JSON.stringify with escapeUnsafeChars.
  3. This ensures that even if arg includes risky characters, they will be safely escaped and cannot break out of the script context or cause injection.
    All changes are confined to the appropriate edit region.
Suggested changeset 1
packages/enhanced/test/ConfigTestCases.vitest.ts

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/packages/enhanced/test/ConfigTestCases.vitest.ts b/packages/enhanced/test/ConfigTestCases.vitest.ts
--- a/packages/enhanced/test/ConfigTestCases.vitest.ts
+++ b/packages/enhanced/test/ConfigTestCases.vitest.ts
@@ -777,10 +777,31 @@
                               currentDirectory,
                               '.array-require.js',
                             );
+                            // Add escapeUnsafeChars helper
+                            const charMap = {
+                              '<': '\\u003C',
+                              '>': '\\u003E',
+                              '/': '\\u002F',
+                              '\\': '\\\\',
+                              '\b': '\\b',
+                              '\f': '\\f',
+                              '\n': '\\n',
+                              '\r': '\\r',
+                              '\t': '\\t',
+                              '\0': '\\0',
+                              '\u2028': '\\u2028',
+                              '\u2029': '\\u2029'
+                            };
+                            function escapeUnsafeChars(str: string) {
+                              return str.replace(
+                                /[<>\b\f\n\r\t\0\u2028\u2029/\\]/g, 
+                                x => (charMap as any)[x] || x,
+                              );
+                            }
                             content = `module.exports = (${module
                               .map(
                                 (arg: any) =>
-                                  `require(${JSON.stringify(`./${arg}`)})`,
+                                  `require(${escapeUnsafeChars(JSON.stringify(`./${arg}`))})`,
                               )
                               .join(', ')});`;
                           } else {
EOF
@@ -777,10 +777,31 @@
currentDirectory,
'.array-require.js',
);
// Add escapeUnsafeChars helper
const charMap = {
'<': '\\u003C',
'>': '\\u003E',
'/': '\\u002F',
'\\': '\\\\',
'\b': '\\b',
'\f': '\\f',
'\n': '\\n',
'\r': '\\r',
'\t': '\\t',
'\0': '\\0',
'\u2028': '\\u2028',
'\u2029': '\\u2029'
};
function escapeUnsafeChars(str: string) {
return str.replace(
/[<>\b\f\n\r\t\0\u2028\u2029/\\]/g,
x => (charMap as any)[x] || x,
);
}
content = `module.exports = (${module
.map(
(arg: any) =>
`require(${JSON.stringify(`./${arg}`)})`,
`require(${escapeUnsafeChars(JSON.stringify(`./${arg}`))})`,
)
.join(', ')});`;
} else {
Copilot is powered by AI and may make mistakes. Always verify output.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@2heal1