Skip to content

Dynamic block loading proof-of-concept #158

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
pmitros wants to merge 2 commits into
base: main
Choose a base branch
from
Open

Dynamic block loading proof-of-concept #158

pmitros wants to merge 2 commits into from

Conversation

@pmitros
Copy link
Contributor

@pmitros pmitros commented Jan 11, 2026

No description provided.

chatgpt-codex-connector[bot]
chatgpt-codex-connector bot reviewed Jan 11, 2026
View reviewed changes
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 8db643f1e5

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

  • Open a pull request for review
  • Mark a draft as ready
  • Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

src/app/api/blocks/compile/route.ts
Comment on lines +168 to +170
const version = Date.now();
const filename = `${name}-${version}.js`;
const filepath = path.join(DYNAMIC_BLOCKS_DIR, filename);
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Jan 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P1 Badge Sanitize block name before building output path

The name field comes straight from the request body and is interpolated into filename before being passed to path.join, which means a caller can include path separators (e.g. ../) and escape public/dynamic-blocks, resulting in arbitrary file writes relative to the server’s working directory. This is a security issue if the endpoint is reachable outside trusted tooling. Consider restricting name to a safe slug (e.g. /^[A-Za-z0-9_-]+$/) or using path.basename and rejecting any .. or separator characters before composing the path.

Useful? React with 👍 / 👎.

src/app/api/blocks/compile/route.ts
Comment on lines +121 to +123
build.onResolve({ filter: /^\./ }, args => {
const resolved = args.path.replace(/^\.\//, '');
return { path: resolved, namespace: 'virtual' };
Copy link

@chatgpt-codex-connector chatgpt-codex-connector bot Jan 11, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

P2 Badge Resolve relative imports using the importer directory

The virtual filesystem resolver strips ./ and returns a path without using args.resolveDir, and the loader doesn’t set a resolveDir for virtual modules. As a result, relative imports from nested source files (e.g. components/Card.tsx importing ./Button) will be resolved as Button instead of components/Button, leading to “Virtual file not found” errors and failed compilation for any block that organizes code in subdirectories. Use path.join(args.resolveDir, args.path) and/or set resolveDir in onLoad to the file’s directory.

Useful? React with 👍 / 👎.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@chatgpt-codex-connector chatgpt-codex-connector[bot] chatgpt-codex-connector[bot] left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@pmitros