vercel[bot]
commented
3 months ago The latest updates on your projects. Learn more about Vercel for Git ↗︎
| Name | Status | Preview | Comments | Updated (UTC) |
|---|---|---|---|---|
| react-email | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | May 8, 2024 1:35pm |
| react-email-demo | ✅ Ready (Inspect) | Visit Preview | 💬 Add feedback | May 8, 2024 1:35pm |
This fixes two security vulnerabilities pointed out by automatic code analysis that could have caused access to files that don't exist causing errors that could be quite hard to debug and find the cause of.
The first issue was inside of the function we use to server the user's static files, i.e.
emails/static, where if it found a certain path access was for a directory likehttp://localhost:3000/static/vercelit would go directly into the index file without checking it existed, which quite didn't make sense anymore so I removed that behavior and just respond with a404in case the URL points into a directory.The second issue was inside of the code we check if a file is an email, inside of the server action called
getEmailsDirectoryMetadata. It was reading the file based on its full path without first checking it existed, and as it could not exist anymore at that point it could cause a race condition as well. Fixed by just checking if the file exists before, and if it doesn't return false, thus ignoring the file as not an email.