fix: harden mf rsc bundle loading and runtime hooks

Author: ScriptedAlchemy

packages/modernjs-v3/src/cli/mfRuntimePlugins/rsc-bridge-runtime-plugin.ts

@@ -663,7 +663,7 @@ const rscBridgeRuntimePlugin = (): ModuleFederationRuntimePlugin => {
       if (!alias) {
         return args;
       }
-      void ensureRemoteAliasMerged(alias, args);
+      await ensureRemoteAliasMerged(alias, args);
       return args;
     },
     async onLoad(args: any) {

packages/modernjs-v3/src/cli/ssrPlugin.ts

@@ -260,11 +260,25 @@ export const moduleFederationSSRPlugin = (
                   return;
                 }
                 try {
-                  if (
-                    req.url?.includes('.json') &&
-                    !req.url?.includes('hot-update')
-                  ) {
-                    const filepath = path.join(process.cwd(), `dist${req.url}`);
+                  const requestPath = req.url?.split('?')[0] || '';
+                  const isJsonRequest = path.extname(requestPath) === '.json';
+                  if (isJsonRequest && !requestPath.includes('hot-update')) {
+                    if (!requestPath.startsWith('/')) {
+                      next();
+                      return;
+                    }
+
+                    const distRoot = path.resolve(process.cwd(), 'dist');
+                    const filepath = path.resolve(distRoot, `.${requestPath}`);
+                    const allowedPrefix = `${distRoot}${path.sep}`;
+                    if (
+                      filepath !== distRoot &&
+                      !filepath.startsWith(allowedPrefix)
+                    ) {
+                      next();
+                      return;
+                    }
+
                     fs.statSync(filepath);
                     res.setHeader('Access-Control-Allow-Origin', '*');
                     res.setHeader(

packages/server/core/src/adapters/node/plugins/resource.ts

@@ -65,7 +65,7 @@ const isPromiseLike = (value: unknown): value is Promise<unknown> =>
   'then' in (value as Promise<unknown>) &&
   typeof (value as Promise<unknown>).then === 'function';
 
-const loadBundleModule = async (filepath: string): Promise<unknown> => {
+const loadBundleModule = (filepath: string): unknown | Promise<unknown> => {
   try {
     return require(filepath);
   } catch (err: any) {
@@ -124,7 +124,7 @@ const loadBundle = async (
   }
 
   try {
-    const module = await loadBundleModule(filepath);
+    const module = loadBundleModule(filepath);
     if (!isPromiseLike(module)) {
       return module;
     }