From 78947f14a98f89702f188db1d89c9d99cd220101 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Micha=C5=82=20Go=C5=82e=CC=A8biowski-Owczarek?=
 <m.goleb@gmail.com>
Date: Sat, 26 Oct 2024 00:35:48 +0200
Subject: [PATCH] Build: Fix an XSS in the test server HTML serving logic

The test server has a rule for `/tests/unit/*/*.html` paths that serves
a proper local file. However, the parameters after `/unit/` were so far not
escaped, leading to possibly reading a file from outside of the Git repository.
Fix that by replacing non-alphanumeric characters that are also not `-` or `_`.

This should resolve one CodeQL alert.
---
 tests/runner/createTestServer.js | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tests/runner/createTestServer.js b/tests/runner/createTestServer.js
index 67770c71d8..875e6d3b13 100644
--- a/tests/runner/createTestServer.js
+++ b/tests/runner/createTestServer.js
@@ -22,7 +22,7 @@ export async function createTestServer( report ) {
 	} );
 
 	// Add a script tag to HTML pages to load the QUnit listeners
-	app.use( /\/tests\/unit\/([^/]+)\/\1\.html$/, async( req, res ) => {
+	app.use( /\/tests\/unit\/([a-zA-Z0-9_-]+)\/\1\.html$/, async( req, res ) => {
 		const html = await readFile(
 			`tests/unit/${ req.params[ 0 ] }/${ req.params[ 0 ] }.html`,
 			"utf8"