Skip to content

Security: Dynamic import invocation without existence check can crash route (availability risk)#1176

Closed
tomaioo wants to merge 1 commit intoqwikifiers:mainfrom
tomaioo:fix/security/dynamic-import-invocation-without-existe
Closed

Security: Dynamic import invocation without existence check can crash route (availability risk)#1176
tomaioo wants to merge 1 commit intoqwikifiers:mainfrom
tomaioo:fix/security/dynamic-import-invocation-without-existe

Conversation

@tomaioo
Copy link
Copy Markdown

@tomaioo tomaioo commented Apr 17, 2026

Summary

Security: Dynamic import invocation without existence check can crash route (availability risk)

Problem

Severity: Low | File: apps/component-tests/src/components/showcase-test/showcase-test.tsx:L13

A module loader function is resolved from metaGlobComponents[componentPath] and invoked without verifying it exists. A crafted route param that does not match a key can result in invoking undefined, causing runtime errors and potential repeated 500 responses (DoS-by-error for that endpoint).

Solution

Validate that metaGlobComponents[componentPath] exists before invocation. Return a controlled 404/fallback component when not found, and wrap dynamic import in try/catch with graceful error handling.

Changes

  • apps/component-tests/src/components/showcase-test/showcase-test.tsx (modified)

@tomaioo
fix(component-tests): dynamic import invocation without existence check
8bede63 
A module loader function is resolved from `metaGlobComponents[componentPath]` and invoked without verifying it exists. A crafted route param that does not match a key can result in invoking `undefined`, causing runtime errors and potential repeated 500 responses (DoS-by-error for that endpoint).

Signed-off-by: tomaioo <203048277+tomaioo@users.noreply.github.com>
@changeset-bot
Copy link
Copy Markdown

changeset-bot Bot commented Apr 17, 2026

⚠️ No Changeset found

Latest commit: 8bede63

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 17, 2026

CLA Assistant Lite bot:
Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment same as the below format.

I have read the CLA Document and I hereby sign the CLA

You can retrigger this bot by commenting recheck in this Pull Request

@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Apr 17, 2026

Open in StackBlitz

npm i https://pkg.pr.new/qwik-ui@1176

npm i https://pkg.pr.new/@qwik-ui/headless@1176

npm i https://pkg.pr.new/@qwik-ui/styled@1176

npm i https://pkg.pr.new/@qwik-ui/utils@1176

commit: 8bede63

@maiieul
Copy link
Copy Markdown
Contributor

maiieul commented Apr 23, 2026

Qwik UI is in low maintenance atm (A lot of work for V2 has been done in separate projects) so I'll close for now. Would love a PR for the qwik docs if the code there isn't secure https://qwik.dev/docs/cookbook/glob-import/. Thanks @tomaioo !

@maiieul maiieul closed this Apr 23, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@tomaioo @maiieul