make local builds respect "ignore" files when uploading the built output

[falahat]

Description

We already respect the "ignore" entry in firebase.json for source deploys and we want to do the same for local builds.

One crucial difference. For local builds, we apply this filter AFTER the build, on the built output. We can not prevent files from being included in the build.

Scenarios Tested

• Test a local build with an ignore file
• Manually inspect the uploaded content

[gemini-code-assist]

Code Review

This pull request refactors the ignore pattern logic in src/deploy/apphosting/util.ts by centralizing it into a new resolveIgnorePatterns function, which is now utilized by both createLocalBuildTarArchive and createSourceDeployArchive. Additionally, it introduces unit tests to ensure that ignore patterns from configuration and .gitignore files are correctly respected. Feedback includes a recommendation to avoid using 'as any' in test files to comply with the repository's style guide and a suggestion to remove the export keyword from the new utility function if it is only intended for internal use.

[wiz-9635d3485b]

Wiz Scan Summary

Scanner	Findings
Vulnerabilities	-
Sensitive Data	-
Secrets	-
IaC Misconfigurations	-
SAST Findings	3
Software Management Findings	-
Total	3

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

[wiz-9635d3485b]

 SAST Finding

Path Traversal Vulnerability in Node.js (CWE-22)

More Details

This rule detects potential path traversal vulnerabilities in Node.js applications. Path traversal vulnerabilities occur when user input is passed unsanitized to file system operations, allowing attackers to access arbitrary files and directories on the server.

This issue presents a significant security risk as it can lead to unauthorized access to sensitive data, code execution, and complete system compromise. If exploited, an attacker could read confidential files, modify system files, or even execute malicious code on the server.

Attribute	Value
Impact
Likelihood

Remediation

Path traversal vulnerabilities allow an attacker to access arbitrary files on the system, potentially exposing sensitive data or enabling further attacks. This vulnerability arises when user input is passed unsanitized to path manipulation functions like path.join or path.resolve, allowing an attacker to traverse the file system using patterns like ../.

To fix this issue, user input should be sanitized or validated before being passed to path manipulation functions. This can be done by using allowlists, removing or encoding special characters, or validating the resulting path against a set of allowed directories.

Code examples

// VULNERABLE CODE - User input is passed directly to path.join
const userInput = req.query.file;
const filePath = path.join(__dirname, userInput);
fs.readFile(filePath, (err, data) => { ... });

// SECURE CODE - User input is sanitized before path manipulation
const userInput = req.query.file;
const sanitizedInput = sanitizeInput(userInput); // Implement sanitization logic
const filePath = path.join(__dirname, sanitizedInput);
fs.readFile(filePath, (err, data) => { ... });

Additional recommendations

• Follow the principle of least privilege and restrict file access as much as possible.
• Use allowlists instead of denylist-based input validation when possible.
• Consider using libraries like path-sanitizer or sanitize-filename for input sanitization.
• Adhere to the OWASP Input Validation Cheat Sheet and other relevant security standards.
• As an alternative approach, consider using a virtual file system or sandboxing techniques to isolate file operations from the main system.

Rule ID: WS-I013-JAVASCRIPT-00098

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

[wiz-9635d3485b]

 SAST Finding

Path Traversal Vulnerability in Node.js (CWE-22)

More Details

This rule detects potential path traversal vulnerabilities in Node.js applications. Path traversal vulnerabilities occur when user input is passed unsanitized to file system operations, allowing attackers to access arbitrary files and directories on the server.

This issue presents a significant security risk as it can lead to unauthorized access to sensitive data, code execution, and complete system compromise. If exploited, an attacker could read confidential files, modify system files, or even execute malicious code on the server.

Attribute	Value
Impact
Likelihood

Remediation

Path traversal vulnerabilities allow an attacker to access arbitrary files on the system, potentially exposing sensitive data or enabling further attacks. This vulnerability arises when user input is passed unsanitized to path manipulation functions like path.join or path.resolve, allowing an attacker to traverse the file system using patterns like ../.

To fix this issue, user input should be sanitized or validated before being passed to path manipulation functions. This can be done by using allowlists, removing or encoding special characters, or validating the resulting path against a set of allowed directories.

Code examples

// VULNERABLE CODE - User input is passed directly to path.join
const userInput = req.query.file;
const filePath = path.join(__dirname, userInput);
fs.readFile(filePath, (err, data) => { ... });

// SECURE CODE - User input is sanitized before path manipulation
const userInput = req.query.file;
const sanitizedInput = sanitizeInput(userInput); // Implement sanitization logic
const filePath = path.join(__dirname, sanitizedInput);
fs.readFile(filePath, (err, data) => { ... });

Additional recommendations

• Follow the principle of least privilege and restrict file access as much as possible.
• Use allowlists instead of denylist-based input validation when possible.
• Consider using libraries like path-sanitizer or sanitize-filename for input sanitization.
• Adhere to the OWASP Input Validation Cheat Sheet and other relevant security standards.
• As an alternative approach, consider using a virtual file system or sandboxing techniques to isolate file operations from the main system.

Rule ID: WS-I013-JAVASCRIPT-00098

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

[wiz-9635d3485b]

 SAST Finding

Path Traversal Vulnerability in Node.js (CWE-22)

More Details

This rule detects potential path traversal vulnerabilities in Node.js applications. Path traversal vulnerabilities occur when user input is passed unsanitized to file system operations, allowing attackers to access arbitrary files and directories on the server.

This issue presents a significant security risk as it can lead to unauthorized access to sensitive data, code execution, and complete system compromise. If exploited, an attacker could read confidential files, modify system files, or even execute malicious code on the server.

Attribute	Value
Impact
Likelihood

Remediation

Path traversal vulnerabilities allow an attacker to access arbitrary files on the system, potentially exposing sensitive data or enabling further attacks. This vulnerability arises when user input is passed unsanitized to path manipulation functions like path.join or path.resolve, allowing an attacker to traverse the file system using patterns like ../.

To fix this issue, user input should be sanitized or validated before being passed to path manipulation functions. This can be done by using allowlists, removing or encoding special characters, or validating the resulting path against a set of allowed directories.

Code examples

// VULNERABLE CODE - User input is passed directly to path.join
const userInput = req.query.file;
const filePath = path.join(__dirname, userInput);
fs.readFile(filePath, (err, data) => { ... });

// SECURE CODE - User input is sanitized before path manipulation
const userInput = req.query.file;
const sanitizedInput = sanitizeInput(userInput); // Implement sanitization logic
const filePath = path.join(__dirname, sanitizedInput);
fs.readFile(filePath, (err, data) => { ... });

Additional recommendations

• Follow the principle of least privilege and restrict file access as much as possible.
• Use allowlists instead of denylist-based input validation when possible.
• Consider using libraries like path-sanitizer or sanitize-filename for input sanitization.
• Adhere to the OWASP Input Validation Cheat Sheet and other relevant security standards.
• As an alternative approach, consider using a virtual file system or sandboxing techniques to isolate file operations from the main system.

Rule ID: WS-I013-JAVASCRIPT-00098

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate

[wiz-9635d3485b]

 SAST Finding

Path Traversal Vulnerability in Node.js (CWE-22)

More Details

This rule detects potential path traversal vulnerabilities in Node.js applications. Path traversal vulnerabilities occur when user input is passed unsanitized to file system operations, allowing attackers to access arbitrary files and directories on the server.

This issue presents a significant security risk as it can lead to unauthorized access to sensitive data, code execution, and complete system compromise. If exploited, an attacker could read confidential files, modify system files, or even execute malicious code on the server.

Attribute	Value
Impact
Likelihood

Remediation

Path traversal vulnerabilities allow an attacker to access arbitrary files on the system, potentially exposing sensitive data or enabling further attacks. This vulnerability arises when user input is passed unsanitized to path manipulation functions like path.join or path.resolve, allowing an attacker to traverse the file system using patterns like ../.

To fix this issue, user input should be sanitized or validated before being passed to path manipulation functions. This can be done by using allowlists, removing or encoding special characters, or validating the resulting path against a set of allowed directories.

Code examples

// VULNERABLE CODE - User input is passed directly to path.join
const userInput = req.query.file;
const filePath = path.join(__dirname, userInput);
fs.readFile(filePath, (err, data) => { ... });

// SECURE CODE - User input is sanitized before path manipulation
const userInput = req.query.file;
const sanitizedInput = sanitizeInput(userInput); // Implement sanitization logic
const filePath = path.join(__dirname, sanitizedInput);
fs.readFile(filePath, (err, data) => { ... });

Additional recommendations

• Follow the principle of least privilege and restrict file access as much as possible.
• Use allowlists instead of denylist-based input validation when possible.
• Consider using libraries like path-sanitizer or sanitize-filename for input sanitization.
• Adhere to the OWASP Input Validation Cheat Sheet and other relevant security standards.
• As an alternative approach, consider using a virtual file system or sandboxing techniques to isolate file operations from the main system.

Rule ID: WS-I013-JAVASCRIPT-00098

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate