From 7dc1aefc4d322e9b40b07b52f09ac5a368be09f7 Mon Sep 17 00:00:00 2001
From: Cody Casterline <cody.casterline@gmail.com>
Date: Tue, 23 Feb 2021 00:37:25 -0800
Subject: [PATCH] Don't allow `:` in file names.

File paths with a colon in them can refer to an NTFS "alternate data
stream" which does not operate like a normal file and can break many use
cases. They should be avoided (except for the case of the Windows drive
letter, like "C:").

This reverts some of the test changes made in
87586dfb41df57de791923ac6d8285b66607fca2 which removed the `:` from
the virtual entry names. This seems to be a convention in some plugins.
The test now tests that those names don't result in invalid Windows file
paths.
---
 src/utils/sanitizeFileName.ts                              | 7 ++++++-
 test/chunking-form/samples/sanitize-chunk-names/_config.js | 2 +-
 .../sanitize-chunk-names/_expected/amd/_virtual-entry-1.js | 7 -------
 .../sanitize-chunk-names/_expected/amd/_virtual-entry-2.js | 7 -------
 .../sanitize-chunk-names/_expected/amd/_virtual_entry-1.js | 7 +++++++
 .../sanitize-chunk-names/_expected/amd/_virtual_entry-2.js | 7 +++++++
 .../sanitize-chunk-names/_expected/cjs/_virtual-entry-1.js | 5 -----
 .../sanitize-chunk-names/_expected/cjs/_virtual-entry-2.js | 5 -----
 .../sanitize-chunk-names/_expected/cjs/_virtual_entry-1.js | 5 +++++
 .../sanitize-chunk-names/_expected/cjs/_virtual_entry-2.js | 5 +++++
 .../sanitize-chunk-names/_expected/es/_virtual-entry-1.js  | 3 ---
 .../sanitize-chunk-names/_expected/es/_virtual-entry-2.js  | 3 ---
 .../sanitize-chunk-names/_expected/es/_virtual_entry-1.js  | 3 +++
 .../sanitize-chunk-names/_expected/es/_virtual_entry-2.js  | 3 +++
 .../system/{_virtual-entry-1.js => _virtual_entry-1.js}    | 2 +-
 .../system/{_virtual-entry-2.js => _virtual_entry-2.js}    | 2 +-
 16 files changed, 39 insertions(+), 34 deletions(-)
 delete mode 100644 test/chunking-form/samples/sanitize-chunk-names/_expected/amd/_virtual-entry-1.js
 delete mode 100644 test/chunking-form/samples/sanitize-chunk-names/_expected/amd/_virtual-entry-2.js
 create mode 100644 test/chunking-form/samples/sanitize-chunk-names/_expected/amd/_virtual_entry-1.js
 create mode 100644 test/chunking-form/samples/sanitize-chunk-names/_expected/amd/_virtual_entry-2.js
 delete mode 100644 test/chunking-form/samples/sanitize-chunk-names/_expected/cjs/_virtual-entry-1.js
 delete mode 100644 test/chunking-form/samples/sanitize-chunk-names/_expected/cjs/_virtual-entry-2.js
 create mode 100644 test/chunking-form/samples/sanitize-chunk-names/_expected/cjs/_virtual_entry-1.js
 create mode 100644 test/chunking-form/samples/sanitize-chunk-names/_expected/cjs/_virtual_entry-2.js
 delete mode 100644 test/chunking-form/samples/sanitize-chunk-names/_expected/es/_virtual-entry-1.js
 delete mode 100644 test/chunking-form/samples/sanitize-chunk-names/_expected/es/_virtual-entry-2.js
 create mode 100644 test/chunking-form/samples/sanitize-chunk-names/_expected/es/_virtual_entry-1.js
 create mode 100644 test/chunking-form/samples/sanitize-chunk-names/_expected/es/_virtual_entry-2.js
 rename test/chunking-form/samples/sanitize-chunk-names/_expected/system/{_virtual-entry-1.js => _virtual_entry-1.js} (60%)
 rename test/chunking-form/samples/sanitize-chunk-names/_expected/system/{_virtual-entry-2.js => _virtual_entry-2.js} (60%)

diff --git a/src/utils/sanitizeFileName.ts b/src/utils/sanitizeFileName.ts
index b38e8681ea9..14ceb33e2d1 100644
--- a/src/utils/sanitizeFileName.ts
+++ b/src/utils/sanitizeFileName.ts
@@ -1,3 +1,8 @@
 export function sanitizeFileName(name: string): string {
-	return name.replace(/[\0?*]/g, '_');
+	const match = /^[a-z]:/i.exec(name);
+	const driveLetter = match ? match[0] : "";
+
+	// A `:` is only allowed as part of a windows drive letter (ex: C:\foo)
+	// Otherwise, avoid them because they can refer to NTFS alternate data streams.
+	return driveLetter + name.substr(driveLetter.length).replace(/[\0?*:]/g, '_');
 }
diff --git a/test/chunking-form/samples/sanitize-chunk-names/_config.js b/test/chunking-form/samples/sanitize-chunk-names/_config.js
index 66b25abfdbb..ef6faaae57c 100644
--- a/test/chunking-form/samples/sanitize-chunk-names/_config.js
+++ b/test/chunking-form/samples/sanitize-chunk-names/_config.js
@@ -5,7 +5,7 @@ module.exports = {
 		plugins: [
 			{
 				options(options) {
-					options.input = ['\0virtual-entry-1', '\0virtual-entry-2'];
+					options.input = ['\0virtual:entry-1', '\0virtual:entry-2'];
 					return options;
 				},
 				resolveId(id) {
diff --git a/test/chunking-form/samples/sanitize-chunk-names/_expected/amd/_virtual-entry-1.js b/test/chunking-form/samples/sanitize-chunk-names/_expected/amd/_virtual-entry-1.js
deleted file mode 100644
index 23620df2e74..00000000000
--- a/test/chunking-form/samples/sanitize-chunk-names/_expected/amd/_virtual-entry-1.js
+++ /dev/null
@@ -1,7 +0,0 @@
-define(function () { 'use strict';
-
-	var _virtualEntry1 = "\u0000virtual-entry-1";
-
-	return _virtualEntry1;
-
-});
diff --git a/test/chunking-form/samples/sanitize-chunk-names/_expected/amd/_virtual-entry-2.js b/test/chunking-form/samples/sanitize-chunk-names/_expected/amd/_virtual-entry-2.js
deleted file mode 100644
index 17e375503d8..00000000000
--- a/test/chunking-form/samples/sanitize-chunk-names/_expected/amd/_virtual-entry-2.js
+++ /dev/null
@@ -1,7 +0,0 @@
-define(function () { 'use strict';
-
-	var _virtualEntry2 = "\u0000virtual-entry-2";
-
-	return _virtualEntry2;
-
-});
diff --git a/test/chunking-form/samples/sanitize-chunk-names/_expected/amd/_virtual_entry-1.js b/test/chunking-form/samples/sanitize-chunk-names/_expected/amd/_virtual_entry-1.js
new file mode 100644
index 00000000000..f41ce27ab24
--- /dev/null
+++ b/test/chunking-form/samples/sanitize-chunk-names/_expected/amd/_virtual_entry-1.js
@@ -0,0 +1,7 @@
+define(function () { 'use strict';
+
+	var _virtual_entry1 = "\u0000virtual:entry-1";
+
+	return _virtual_entry1;
+
+});
diff --git a/test/chunking-form/samples/sanitize-chunk-names/_expected/amd/_virtual_entry-2.js b/test/chunking-form/samples/sanitize-chunk-names/_expected/amd/_virtual_entry-2.js
new file mode 100644
index 00000000000..5746e5e45e9
--- /dev/null
+++ b/test/chunking-form/samples/sanitize-chunk-names/_expected/amd/_virtual_entry-2.js
@@ -0,0 +1,7 @@
+define(function () { 'use strict';
+
+	var _virtual_entry2 = "\u0000virtual:entry-2";
+
+	return _virtual_entry2;
+
+});
diff --git a/test/chunking-form/samples/sanitize-chunk-names/_expected/cjs/_virtual-entry-1.js b/test/chunking-form/samples/sanitize-chunk-names/_expected/cjs/_virtual-entry-1.js
deleted file mode 100644
index a234cb704b0..00000000000
--- a/test/chunking-form/samples/sanitize-chunk-names/_expected/cjs/_virtual-entry-1.js
+++ /dev/null
@@ -1,5 +0,0 @@
-'use strict';
-
-var _virtualEntry1 = "\u0000virtual-entry-1";
-
-module.exports = _virtualEntry1;
diff --git a/test/chunking-form/samples/sanitize-chunk-names/_expected/cjs/_virtual-entry-2.js b/test/chunking-form/samples/sanitize-chunk-names/_expected/cjs/_virtual-entry-2.js
deleted file mode 100644
index 5110d9276f1..00000000000
--- a/test/chunking-form/samples/sanitize-chunk-names/_expected/cjs/_virtual-entry-2.js
+++ /dev/null
@@ -1,5 +0,0 @@
-'use strict';
-
-var _virtualEntry2 = "\u0000virtual-entry-2";
-
-module.exports = _virtualEntry2;
diff --git a/test/chunking-form/samples/sanitize-chunk-names/_expected/cjs/_virtual_entry-1.js b/test/chunking-form/samples/sanitize-chunk-names/_expected/cjs/_virtual_entry-1.js
new file mode 100644
index 00000000000..437d8954ef4
--- /dev/null
+++ b/test/chunking-form/samples/sanitize-chunk-names/_expected/cjs/_virtual_entry-1.js
@@ -0,0 +1,5 @@
+'use strict';
+
+var _virtual_entry1 = "\u0000virtual:entry-1";
+
+module.exports = _virtual_entry1;
diff --git a/test/chunking-form/samples/sanitize-chunk-names/_expected/cjs/_virtual_entry-2.js b/test/chunking-form/samples/sanitize-chunk-names/_expected/cjs/_virtual_entry-2.js
new file mode 100644
index 00000000000..d560356654a
--- /dev/null
+++ b/test/chunking-form/samples/sanitize-chunk-names/_expected/cjs/_virtual_entry-2.js
@@ -0,0 +1,5 @@
+'use strict';
+
+var _virtual_entry2 = "\u0000virtual:entry-2";
+
+module.exports = _virtual_entry2;
diff --git a/test/chunking-form/samples/sanitize-chunk-names/_expected/es/_virtual-entry-1.js b/test/chunking-form/samples/sanitize-chunk-names/_expected/es/_virtual-entry-1.js
deleted file mode 100644
index 822d3f7d317..00000000000
--- a/test/chunking-form/samples/sanitize-chunk-names/_expected/es/_virtual-entry-1.js
+++ /dev/null
@@ -1,3 +0,0 @@
-var _virtualEntry1 = "\u0000virtual-entry-1";
-
-export default _virtualEntry1;
diff --git a/test/chunking-form/samples/sanitize-chunk-names/_expected/es/_virtual-entry-2.js b/test/chunking-form/samples/sanitize-chunk-names/_expected/es/_virtual-entry-2.js
deleted file mode 100644
index 0e7995ff4b2..00000000000
--- a/test/chunking-form/samples/sanitize-chunk-names/_expected/es/_virtual-entry-2.js
+++ /dev/null
@@ -1,3 +0,0 @@
-var _virtualEntry2 = "\u0000virtual-entry-2";
-
-export default _virtualEntry2;
diff --git a/test/chunking-form/samples/sanitize-chunk-names/_expected/es/_virtual_entry-1.js b/test/chunking-form/samples/sanitize-chunk-names/_expected/es/_virtual_entry-1.js
new file mode 100644
index 00000000000..9fa2c9b2926
--- /dev/null
+++ b/test/chunking-form/samples/sanitize-chunk-names/_expected/es/_virtual_entry-1.js
@@ -0,0 +1,3 @@
+var _virtual_entry1 = "\u0000virtual:entry-1";
+
+export default _virtual_entry1;
diff --git a/test/chunking-form/samples/sanitize-chunk-names/_expected/es/_virtual_entry-2.js b/test/chunking-form/samples/sanitize-chunk-names/_expected/es/_virtual_entry-2.js
new file mode 100644
index 00000000000..c228f2ab38b
--- /dev/null
+++ b/test/chunking-form/samples/sanitize-chunk-names/_expected/es/_virtual_entry-2.js
@@ -0,0 +1,3 @@
+var _virtual_entry2 = "\u0000virtual:entry-2";
+
+export default _virtual_entry2;
diff --git a/test/chunking-form/samples/sanitize-chunk-names/_expected/system/_virtual-entry-1.js b/test/chunking-form/samples/sanitize-chunk-names/_expected/system/_virtual_entry-1.js
similarity index 60%
rename from test/chunking-form/samples/sanitize-chunk-names/_expected/system/_virtual-entry-1.js
rename to test/chunking-form/samples/sanitize-chunk-names/_expected/system/_virtual_entry-1.js
index c8ebce7cbc9..26aafc0c353 100644
--- a/test/chunking-form/samples/sanitize-chunk-names/_expected/system/_virtual-entry-1.js
+++ b/test/chunking-form/samples/sanitize-chunk-names/_expected/system/_virtual_entry-1.js
@@ -3,7 +3,7 @@ System.register([], function (exports) {
 	return {
 		execute: function () {
 
-			var _virtualEntry1 = exports('default', "\u0000virtual-entry-1");
+			var _virtual_entry1 = exports('default', "\u0000virtual:entry-1");
 
 		}
 	};
diff --git a/test/chunking-form/samples/sanitize-chunk-names/_expected/system/_virtual-entry-2.js b/test/chunking-form/samples/sanitize-chunk-names/_expected/system/_virtual_entry-2.js
similarity index 60%
rename from test/chunking-form/samples/sanitize-chunk-names/_expected/system/_virtual-entry-2.js
rename to test/chunking-form/samples/sanitize-chunk-names/_expected/system/_virtual_entry-2.js
index 7d34ce4b2fb..af4edfd003e 100644
--- a/test/chunking-form/samples/sanitize-chunk-names/_expected/system/_virtual-entry-2.js
+++ b/test/chunking-form/samples/sanitize-chunk-names/_expected/system/_virtual_entry-2.js
@@ -3,7 +3,7 @@ System.register([], function (exports) {
 	return {
 		execute: function () {
 
-			var _virtualEntry2 = exports('default', "\u0000virtual-entry-2");
+			var _virtual_entry2 = exports('default', "\u0000virtual:entry-2");
 
 		}
 	};