fix(rsc-mf): harden static path and bridge load dedupe

ScriptedAlchemy · cursoragent · ScriptedAlchemy · commit b5f6763ed0b2 · 2026-02-17T21:28:18.000-08:00
Prevent static middleware path traversal-by-reset by resolving requests under the bundles root with explicit containment checks, and make bridge loading dedupe atomic by caching a pending promise before triggering remote load side effects.

Co-authored-by: Cursor &lt;cursoragent@cursor.com&gt;
diff --git a/packages/modernjs-v3/src/cli/mfRuntimePlugins/rsc-bridge-runtime-plugin.ts b/packages/modernjs-v3/src/cli/mfRuntimePlugins/rsc-bridge-runtime-plugin.ts
@@ -289,9 +289,16 @@ const rscBridgeRuntimePlugin = (): ModuleFederationRuntimePlugin => {
         '[modern-js-v3:rsc-bridge] Module Federation runtime instance is unavailable while loading the RSC bridge',
       );
     }
-    const bridgePromise = Promise.resolve(
-      runtimeInstance.loadRemote(`${alias}/${RSC_BRIDGE_EXPOSE}`),
-    )
+    let resolveBridge!: (bridge: BridgeModule) => void;
+    let rejectBridge!: (error: unknown) => void;
+    const bridgePromise = new Promise<BridgeModule>((resolve, reject) => {
+      resolveBridge = resolve;
+      rejectBridge = reject;
+    });
+    bridgePromises[alias] = bridgePromise;
+
+    void Promise.resolve()
+      .then(() => runtimeInstance.loadRemote(`${alias}/${RSC_BRIDGE_EXPOSE}`))
       .then((bridge: BridgeModule) => {
         if (
           !bridge ||
@@ -302,14 +309,14 @@ const rscBridgeRuntimePlugin = (): ModuleFederationRuntimePlugin => {
             `[modern-js-v3:rsc-bridge] Remote "${alias}" is missing the internal RSC bridge expose`,
           );
         }
-        return bridge;
+        resolveBridge(bridge);
       })
       .catch((error: unknown) => {
         // Allow retry when bridge loading fails transiently.
         delete bridgePromises[alias];
-        throw error;
+        rejectBridge(error);
       });
-    bridgePromises[alias] = bridgePromise;
+
     return bridgePromise;
   };
 
diff --git a/packages/modernjs-v3/src/server/staticMiddleware.ts b/packages/modernjs-v3/src/server/staticMiddleware.ts
@@ -26,6 +26,7 @@ const createStaticMiddleware = (options: {
   pwd: string;
 }): MiddlewareHandler => {
   const { assetPrefix, pwd } = options;
+  const bundlesRootDir = path.resolve(pwd, `.${bundlesAssetPrefix}`);
 
   return async (c, next) => {
     const pathname = c.req.path;
@@ -47,7 +48,12 @@ const createStaticMiddleware = (options: {
     }
 
     const pathnameWithoutPrefix = pathname.replace(prefixWithBundle, '');
-    const filepath = path.join(pwd, bundlesAssetPrefix, pathnameWithoutPrefix);
+    const relativeBundlePath = pathnameWithoutPrefix.replace(/^\/+/, '');
+    const filepath = path.resolve(bundlesRootDir, relativeBundlePath);
+    const allowedPrefix = `${bundlesRootDir}${path.sep}`;
+    if (filepath !== bundlesRootDir && !filepath.startsWith(allowedPrefix)) {
+      return next();
+    }
     if (!(await fs.pathExists(filepath))) {
       return next();
     }
