[web] Don't serve files outside of project#180699
Merged
auto-submit[bot] merged 2 commits intoflutter:masterfrom Jan 8, 2026
Merged
[web] Don't serve files outside of project#180699auto-submit[bot] merged 2 commits intoflutter:masterfrom
auto-submit[bot] merged 2 commits intoflutter:masterfrom
Conversation
github-actions
bot
added
the
tool
![gemini-code-assist[bot]](proxy.php?url=https://avatars.githubusercontent.com/in/956858?s=60&v=4){kind=small}
Contributor
There was a problem hiding this comment.
Code Review
This pull request enhances security by restricting the file search paths in ReleaseAssetServer. The changes remove search paths pointing to the user's home directory and the parent of the Flutter root, mitigating a path traversal vulnerability that could allow serving files from outside the project. A new test is added to confirm that requests for files outside the intended directories now correctly fall back to serving index.html, preventing unauthorized file access. The changes appear correct and effectively address the security concern.
| final Response response = await server.handle( | ||
| Request('GET', Uri.parse('http://foobar/$path')), | ||
| ); | ||
| expect(response.statusCode, 200, reason: 'Path "$path" should return 200 and index.html'); |
Contributor
There was a problem hiding this comment.
So the expected behavior is for any URL that doesn't point to an existing file under the project directory to return index.html? Is it possible to 404?
Contributor
Author
There was a problem hiding this comment.
We can and in fact, that's what we used to do in the past. But then PathUrlStrategy doesn't work.
If the app defines routes such as /settings, /users/123, etc, you want to be able to hit refresh at any of those paths and be served with the index.html file.
With the HashUrlStrategy, the url in the address bar becomes http://localhost:xxxx/#/users/123. Hitting refresh will request / from the server, which correctly serves index.html.
But with PathUrlStrategy, the url in the address bar becomes http://localhost:xxxx/users/123. Hitting refresh will request /users/123 from the server, which returns 404 since there's no file called users/123 in the file system.
Contributor
There was a problem hiding this comment.
Ah, that makes sense. Thanks
flutter-dashboard
bot
removed
the
autosubmit
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Jan 9, 2026
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Jan 9, 2026
This was referenced Jan 9, 2026
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Jan 9, 2026
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Jan 9, 2026
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Jan 10, 2026
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Jan 10, 2026
engine-flutter-autoroll
added a commit
to engine-flutter-autoroll/packages
that referenced
this pull request
Jan 10, 2026
auto-submit bot
pushed a commit
to flutter/packages
that referenced
this pull request
Jan 10, 2026
Roll Flutter from 01d37bc to 73769a2 (65 revisions) flutter/flutter@01d37bc...73769a2 2026-01-10 [email protected] Roll Dart SDK from 5e855c2bb3ef to 87fbfd5381b6 (1 revision) (flutter/flutter#180800) 2026-01-10 [email protected] Roll Skia from b2b109f0e980 to f39cc645b1dd (2 revisions) (flutter/flutter#180796) 2026-01-10 [email protected] Roll Dart SDK from b7963905e6a2 to 5e855c2bb3ef (2 revisions) (flutter/flutter#180794) 2026-01-10 [email protected] Make sure that a CupertinoTabScaffold doesn't crash in 0x0 environment (flutter/flutter#179824) 2026-01-10 [email protected] Roll Dart SDK from d25ad331b7ea to b7963905e6a2 (2 revisions) (flutter/flutter#180783) 2026-01-10 [email protected] Make sure that a Container doesn't crash in 0x0 environment (flutter/flutter#180350) 2026-01-10 [email protected] Make sure that an Expansible doesn't crash in 0x0 environment (flutter/flutter#180478) 2026-01-10 98614782+auto-submit[bot]@users.noreply.github.com Reverts "Enabled some disabled impeller fragment shader dart tests (#180759)" (flutter/flutter#180785) 2026-01-09 [email protected] Merge `widget_tester_leaks_free_test.dart` into `widget_tester_test.dart` (flutter/flutter#180600) 2026-01-09 [email protected] fix: there are no riscv fuchsia artifacts (flutter/flutter#180779) 2026-01-09 [email protected] Roll Skia from 7386219151e6 to b2b109f0e980 (1 revision) (flutter/flutter#180771) 2026-01-09 [email protected] Re-prioritize pipeline compile jobs and perform them eagerly instead of waiting. (flutter/flutter#180022) 2026-01-09 [email protected] Enabled some disabled impeller fragment shader dart tests (flutter/flutter#180759) 2026-01-09 [email protected] Roll Fuchsia Linux SDK from rxeg-6UB678HKJ4UQ... to 83Favz_zzMzdVuOHg... (flutter/flutter#180765) 2026-01-09 [email protected] [A11y ] Add `clearSemantics`in table (flutter/flutter#180665) 2026-01-09 [email protected] Update CODEOWNERS to remove chinmaygarde. (flutter/flutter#180703) 2026-01-09 [email protected] [ Tool ] Add support for linux riscv64 architecture (flutter/flutter#178711) 2026-01-09 [email protected] Roll Skia from e9b3264ade0c to 7386219151e6 (12 revisions) (flutter/flutter#180754) 2026-01-09 [email protected] Roll Dart SDK from fe2ba2c5dd50 to d25ad331b7ea (10 revisions) (flutter/flutter#180741) 2026-01-09 98614782+auto-submit[bot]@users.noreply.github.com Reverts "Unpin google_mobile_ads (#180573)" (flutter/flutter#180761) 2026-01-09 [email protected] Fix typo in dropdown_menu.dart (flutter/flutter#180172) 2026-01-09 [email protected] Roll Packages from 039a026 to 51fe1d9 (1 revision) (flutter/flutter#180742) 2026-01-09 [email protected] Unpin google_mobile_ads (flutter/flutter#180573) 2026-01-09 [email protected] Update flutter changelog for 3.38.6 (flutter/flutter#180708) 2026-01-08 98614782+auto-submit[bot]@users.noreply.github.com Reverts "Fix iOS xattr removal to clear all extended attributes (#180355)" (flutter/flutter#180709) 2026-01-08 [email protected] Make sure that an EditableText doesn't crash in 0x0 environment (flutter/flutter#180457) 2026-01-08 [email protected] Implementation of tooltip windows for win32 (flutter/flutter#179147) 2026-01-08 [email protected] [web] Don't serve files outside of project (flutter/flutter#180699) 2026-01-08 [email protected] Roll Skia from 837be28dd218 to e9b3264ade0c (1 revision) (flutter/flutter#180702) 2026-01-08 [email protected] Add new motion accessibility features to iOS. (flutter/flutter#178102) 2026-01-08 [email protected] Fix iOS xattr removal to clear all extended attributes (flutter/flutter#180355) 2026-01-08 [email protected] [ Widget Preview ] Move widget_preview_scaffold tests to `dev/integration_tests/widget_preview_scaffold` (flutter/flutter#180658) 2026-01-08 [email protected] De-interleaves engine dart test output (flutter/flutter#180651) 2026-01-08 [email protected] [web] Fix SemanticsService.announce not working inside dialogs (flutter/flutter#179958) 2026-01-08 [email protected] Roll Skia from 42233226ac56 to 837be28dd218 (2 revisions) (flutter/flutter#180693) 2026-01-08 [email protected] Roll Dart SDK to 3.11.0-296.2.beta (flutter/flutter#180685) 2026-01-08 [email protected] Improve code quality in `AndroidTouchProcessorTest.java` (flutter/flutter#180583) 2026-01-08 [email protected] Revert "Reverts "[reland] Unify canvas creation and Surface code in S…kwasm and CanvasKit (#179473)" (#180152)" (flutter/flutter#180610) 2026-01-08 [email protected] Roll Skia from a0c407bce408 to 42233226ac56 (4 revisions) (flutter/flutter#180688) 2026-01-08 [email protected] [ Tool ] Fix flake in overall_experience_test.dart (flutter/flutter#180655) 2026-01-08 [email protected] Roll Packages from 9705815 to 039a026 (6 revisions) (flutter/flutter#180684) 2026-01-08 [email protected] flutter_tools: Auto-generate ExportOptions.plist for manual iOS code signing (flutter/flutter#177888) 2026-01-08 [email protected] Roll Skia from 58837e160874 to a0c407bce408 (2 revisions) (flutter/flutter#180679) 2026-01-08 [email protected] Roll Skia from 1e3266fdba86 to 58837e160874 (1 revision) (flutter/flutter#180677) 2026-01-08 [email protected] Roll Skia from 3c47ea10638f to 1e3266fdba86 (4 revisions) (flutter/flutter#180675) 2026-01-08 [email protected] Roll Fuchsia Linux SDK from dTvN_JVSCfGFRasvH... to rxeg-6UB678HKJ4UQ... (flutter/flutter#180673) ...
ivan-vanyusho
pushed a commit
to ivan-vanyusho/packages
that referenced
this pull request
Jan 26, 2026
Roll Flutter from 01d37bc to 73769a2 (65 revisions) flutter/flutter@01d37bc...73769a2 2026-01-10 [email protected] Roll Dart SDK from 5e855c2bb3ef to 87fbfd5381b6 (1 revision) (flutter/flutter#180800) 2026-01-10 [email protected] Roll Skia from b2b109f0e980 to f39cc645b1dd (2 revisions) (flutter/flutter#180796) 2026-01-10 [email protected] Roll Dart SDK from b7963905e6a2 to 5e855c2bb3ef (2 revisions) (flutter/flutter#180794) 2026-01-10 [email protected] Make sure that a CupertinoTabScaffold doesn't crash in 0x0 environment (flutter/flutter#179824) 2026-01-10 [email protected] Roll Dart SDK from d25ad331b7ea to b7963905e6a2 (2 revisions) (flutter/flutter#180783) 2026-01-10 [email protected] Make sure that a Container doesn't crash in 0x0 environment (flutter/flutter#180350) 2026-01-10 [email protected] Make sure that an Expansible doesn't crash in 0x0 environment (flutter/flutter#180478) 2026-01-10 98614782+auto-submit[bot]@users.noreply.github.com Reverts "Enabled some disabled impeller fragment shader dart tests (#180759)" (flutter/flutter#180785) 2026-01-09 [email protected] Merge `widget_tester_leaks_free_test.dart` into `widget_tester_test.dart` (flutter/flutter#180600) 2026-01-09 [email protected] fix: there are no riscv fuchsia artifacts (flutter/flutter#180779) 2026-01-09 [email protected] Roll Skia from 7386219151e6 to b2b109f0e980 (1 revision) (flutter/flutter#180771) 2026-01-09 [email protected] Re-prioritize pipeline compile jobs and perform them eagerly instead of waiting. (flutter/flutter#180022) 2026-01-09 [email protected] Enabled some disabled impeller fragment shader dart tests (flutter/flutter#180759) 2026-01-09 [email protected] Roll Fuchsia Linux SDK from rxeg-6UB678HKJ4UQ... to 83Favz_zzMzdVuOHg... (flutter/flutter#180765) 2026-01-09 [email protected] [A11y ] Add `clearSemantics`in table (flutter/flutter#180665) 2026-01-09 [email protected] Update CODEOWNERS to remove chinmaygarde. (flutter/flutter#180703) 2026-01-09 [email protected] [ Tool ] Add support for linux riscv64 architecture (flutter/flutter#178711) 2026-01-09 [email protected] Roll Skia from e9b3264ade0c to 7386219151e6 (12 revisions) (flutter/flutter#180754) 2026-01-09 [email protected] Roll Dart SDK from fe2ba2c5dd50 to d25ad331b7ea (10 revisions) (flutter/flutter#180741) 2026-01-09 98614782+auto-submit[bot]@users.noreply.github.com Reverts "Unpin google_mobile_ads (#180573)" (flutter/flutter#180761) 2026-01-09 [email protected] Fix typo in dropdown_menu.dart (flutter/flutter#180172) 2026-01-09 [email protected] Roll Packages from 039a026 to 51fe1d9 (1 revision) (flutter/flutter#180742) 2026-01-09 [email protected] Unpin google_mobile_ads (flutter/flutter#180573) 2026-01-09 [email protected] Update flutter changelog for 3.38.6 (flutter/flutter#180708) 2026-01-08 98614782+auto-submit[bot]@users.noreply.github.com Reverts "Fix iOS xattr removal to clear all extended attributes (#180355)" (flutter/flutter#180709) 2026-01-08 [email protected] Make sure that an EditableText doesn't crash in 0x0 environment (flutter/flutter#180457) 2026-01-08 [email protected] Implementation of tooltip windows for win32 (flutter/flutter#179147) 2026-01-08 [email protected] [web] Don't serve files outside of project (flutter/flutter#180699) 2026-01-08 [email protected] Roll Skia from 837be28dd218 to e9b3264ade0c (1 revision) (flutter/flutter#180702) 2026-01-08 [email protected] Add new motion accessibility features to iOS. (flutter/flutter#178102) 2026-01-08 [email protected] Fix iOS xattr removal to clear all extended attributes (flutter/flutter#180355) 2026-01-08 [email protected] [ Widget Preview ] Move widget_preview_scaffold tests to `dev/integration_tests/widget_preview_scaffold` (flutter/flutter#180658) 2026-01-08 [email protected] De-interleaves engine dart test output (flutter/flutter#180651) 2026-01-08 [email protected] [web] Fix SemanticsService.announce not working inside dialogs (flutter/flutter#179958) 2026-01-08 [email protected] Roll Skia from 42233226ac56 to 837be28dd218 (2 revisions) (flutter/flutter#180693) 2026-01-08 [email protected] Roll Dart SDK to 3.11.0-296.2.beta (flutter/flutter#180685) 2026-01-08 [email protected] Improve code quality in `AndroidTouchProcessorTest.java` (flutter/flutter#180583) 2026-01-08 [email protected] Revert "Reverts "[reland] Unify canvas creation and Surface code in S…kwasm and CanvasKit (#179473)" (#180152)" (flutter/flutter#180610) 2026-01-08 [email protected] Roll Skia from a0c407bce408 to 42233226ac56 (4 revisions) (flutter/flutter#180688) 2026-01-08 [email protected] [ Tool ] Fix flake in overall_experience_test.dart (flutter/flutter#180655) 2026-01-08 [email protected] Roll Packages from 9705815 to 039a026 (6 revisions) (flutter/flutter#180684) 2026-01-08 [email protected] flutter_tools: Auto-generate ExportOptions.plist for manual iOS code signing (flutter/flutter#177888) 2026-01-08 [email protected] Roll Skia from 58837e160874 to a0c407bce408 (2 revisions) (flutter/flutter#180679) 2026-01-08 [email protected] Roll Skia from 1e3266fdba86 to 58837e160874 (1 revision) (flutter/flutter#180677) 2026-01-08 [email protected] Roll Skia from 3c47ea10638f to 1e3266fdba86 (4 revisions) (flutter/flutter#180675) 2026-01-08 [email protected] Roll Fuchsia Linux SDK from dTvN_JVSCfGFRasvH... to rxeg-6UB678HKJ4UQ... (flutter/flutter#180673) ...
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Fixes internal bug: b/463611148