fix(nuxt): add validation for nuxt island reviver key (#33069)

huang-julien · web-flow · commit 2566d2046bcc · 2025-09-01T07:29:58.000+01:00
diff --git a/packages/nuxt/src/app/plugins/revive-payload.server.ts b/packages/nuxt/src/app/plugins/revive-payload.server.ts
@@ -5,6 +5,7 @@ import { defineNuxtPlugin } from '../nuxt'
 
 // @ts-expect-error Virtual file.
 import { componentIslands } from '#build/nuxt.config.mjs'
+import { isValidIslandKey } from './utils'
 
 const reducers: [string, (data: any) => any][] = [
   ['NuxtError', data => isNuxtError(data) && data.toJSON()],
@@ -17,7 +18,7 @@ const reducers: [string, (data: any) => any][] = [
 ]
 
 if (componentIslands) {
-  reducers.push(['Island', data => data && data?.__nuxt_island])
+  reducers.push(['Island', data => data && data?.__nuxt_island && isValidIslandKey(data.__nuxt_island.key) && data.__nuxt_island])
 }
 
 export default defineNuxtPlugin({
diff --git a/packages/nuxt/src/app/plugins/utils.ts b/packages/nuxt/src/app/plugins/utils.ts
@@ -0,0 +1,5 @@
+const VALID_ISLAND_KEY_RE = /^[a-z][a-z\d-]*_[a-z\d]+$/i
+/* @__PURE__ */
+export function isValidIslandKey (key: string): boolean {
+  return typeof key === 'string' && VALID_ISLAND_KEY_RE.test(key) && key.length <= 100
+}
diff --git a/packages/nuxt/test/plugin-utils.test.ts b/packages/nuxt/test/plugin-utils.test.ts
@@ -0,0 +1,85 @@
+import { isValidIslandKey } from '#app/plugins/utils'
+import { describe, expect, it } from 'vitest'
+import { hash } from 'ohash'
+import { randomUUID } from 'node:crypto'
+
+describe('isValidIslandKey util', () => {
+  it('should accept valid island keys', () => {
+    // Valid keys following the componentName_hashId pattern
+    expect(isValidIslandKey('MyComponent_abc123')).toBe(true)
+    expect(isValidIslandKey('UserCard_def456')).toBe(true)
+    expect(isValidIslandKey('NavBar_xyz789')).toBe(true)
+    expect(isValidIslandKey('A_1')).toBe(true)
+    expect(isValidIslandKey('Component123_hash456')).toBe(true)
+    expect(isValidIslandKey('my-component_hash123')).toBe(true)
+    expect(isValidIslandKey('Component-Name_hash123')).toBe(true)
+    const sampleHash = hash({ props: randomUUID() }).replace(/[-_]/g, '')
+    expect(isValidIslandKey('ComponentName_' + sampleHash)).toBe(true)
+  })
+
+  it('should reject invalid island keys', () => {
+    // Empty or null/undefined
+    expect(isValidIslandKey('')).toBe(false)
+    expect(isValidIslandKey(null as any)).toBe(false)
+    expect(isValidIslandKey(undefined as any)).toBe(false)
+
+    // Missing underscore separator
+    expect(isValidIslandKey('ComponentName')).toBe(false)
+    expect(isValidIslandKey('hash123')).toBe(false)
+
+    // Invalid characters
+    expect(isValidIslandKey('Component/Name_hash123')).toBe(false)
+    expect(isValidIslandKey('Component\\Name_hash123')).toBe(false)
+    expect(isValidIslandKey('Component..Name_hash123')).toBe(false)
+    expect(isValidIslandKey('Component Name_hash123')).toBe(false)
+    expect(isValidIslandKey('Component<script>_hash123')).toBe(false)
+    expect(isValidIslandKey('Component"_hash123')).toBe(false)
+    expect(isValidIslandKey('Component\'_hash123')).toBe(false)
+
+    // Starting with invalid characters
+    expect(isValidIslandKey('123Component_hash123')).toBe(false)
+    expect(isValidIslandKey('_Component_hash123')).toBe(false)
+    expect(isValidIslandKey('-Component_hash123')).toBe(false)
+
+    // Path traversal attempts
+    expect(isValidIslandKey('../Component_hash123')).toBe(false)
+    expect(isValidIslandKey('../../Component_hash123')).toBe(false)
+    expect(isValidIslandKey('Component_../hash123')).toBe(false)
+    expect(isValidIslandKey('Component_../../hash123')).toBe(false)
+
+    // URL/protocol attempts
+    expect(isValidIslandKey('http://evil.com_hash123')).toBe(false)
+    expect(isValidIslandKey('file:///etc/passwd_hash123')).toBe(false)
+    expect(isValidIslandKey('Component_http://evil.com')).toBe(false)
+
+    const longKey = 'A'.repeat(95) + '_' + 'B'.repeat(10)
+    expect(isValidIslandKey(longKey)).toBe(false)
+
+    expect(isValidIslandKey('Component_Name_hash123')).toBe(false)
+    expect(isValidIslandKey('Component__hash123')).toBe(false)
+  })
+
+  it('should handle edge cases', () => {
+    // Maximum allowed length (100 chars)
+    const maxLengthKey = 'A'.repeat(94) + '_' + 'B'.repeat(5) // 100 chars total
+    expect(isValidIslandKey(maxLengthKey)).toBe(true)
+
+    // Just over maximum length
+    const overLengthKey = 'A'.repeat(95) + '_' + 'B'.repeat(6) // 102 chars total
+    expect(isValidIslandKey(overLengthKey)).toBe(false)
+
+    // Minimum valid length
+    expect(isValidIslandKey('A_1')).toBe(true)
+
+    // Single character component name with long hash
+    expect(isValidIslandKey('A_' + 'B'.repeat(97))).toBe(true) // 100 chars total
+  })
+
+  it('should reject non-string inputs', () => {
+    expect(isValidIslandKey(123 as any)).toBe(false)
+    expect(isValidIslandKey({} as any)).toBe(false)
+    expect(isValidIslandKey([] as any)).toBe(false)
+    expect(isValidIslandKey(true as any)).toBe(false)
+    expect(isValidIslandKey(Symbol('test') as any)).toBe(false)
+  })
+})
diff --git a/test/bundle.test.ts b/test/bundle.test.ts
@@ -117,7 +117,7 @@ describe.skipIf(process.env.SKIP_BUNDLE_SIZE === 'true' || process.env.ECOSYSTEM
     const serverDir = join(pagesRootDir, '.output/server')
 
     const serverStats = await analyzeSizes(['**/*.mjs', '!node_modules'], serverDir)
-    expect.soft(roundToKilobytes(serverStats.totalBytes)).toMatchInlineSnapshot(`"288k"`)
+    expect.soft(roundToKilobytes(serverStats.totalBytes)).toMatchInlineSnapshot(`"289k"`)
 
     const modules = await analyzeSizes(['node_modules/**/*'], serverDir)
     expect.soft(roundToKilobytes(modules.totalBytes)).toMatchInlineSnapshot(`"1420k"`)

Original file line number	Diff line number	Diff line change
`@@ -5,6 +5,7 @@ import { defineNuxtPlugin } from '../nuxt'`
`5`	`5`
`6`	`6`	`// @ts-expect-error Virtual file.`
`7`	`7`	`import { componentIslands } from '#build/nuxt.config.mjs'`
	`8`	`+import { isValidIslandKey } from './utils'`
`8`	`9`
`9`	`10`	`const reducers: [string, (data: any) => any][] = [`
`10`	`11`	`['NuxtError', data => isNuxtError(data) && data.toJSON()],`
`@@ -17,7 +18,7 @@ const reducers: [string, (data: any) => any][] = [`
`17`	`18`	`]`
`18`	`19`
`19`	`20`	`if (componentIslands) {`
`20`		`- reducers.push(['Island', data => data && data?.__nuxt_island])`
	`21`	`+ reducers.push(['Island', data => data && data?.__nuxt_island && isValidIslandKey(data.__nuxt_island.key) && data.__nuxt_island])`
`21`	`22`	`}`
`22`	`23`
`23`	`24`	`export default defineNuxtPlugin({`