Merge branch 'feat/add-linked-files' into develop

JavedNicolas · JavedNicolas · commit 51b65d7300f2 · 2025-08-19T12:04:45.000+02:00
diff --git a/lib/src/asset_loader.dart b/lib/src/asset_loader.dart
@@ -24,6 +24,9 @@ abstract class AssetLoader {
 /// default used is RootBundleAssetLoader which uses flutter's assetloader
 ///
 class RootBundleAssetLoader extends AssetLoader {
+  // Place inside class RootBundleAssetLoader
+  static const int _maxLinkedDepth = 32;
+
   const RootBundleAssetLoader();
 
   String getLocalePath(String basePath, Locale locale) {
@@ -35,28 +38,64 @@ class RootBundleAssetLoader extends AssetLoader {
   }
 
   Future<Map<String, dynamic>> _getLinkedTranslationFileDataFromBaseJson(
-      String basePath, Locale locale, Map<String, dynamic> baseJson,
-      {List<String> fileLoaded = const []}) async {
-    Map<String, dynamic> fullJson = Map<String, dynamic>.from(baseJson);
+    String basePath,
+    Locale locale,
+    Map<String, dynamic> baseJson, {
+    required Set<String> visited,
+    required Map<String, Map<String, dynamic>> cache,
+    int depth = 0,
+  }) async {
+    if (depth > _maxLinkedDepth) {
+      throw StateError('Maximum linked files depth ($_maxLinkedDepth) exceeded for $locale at $basePath.');
+    }
+
+    final Map<String, dynamic> fullJson = Map<String, dynamic>.from(baseJson);
 
-    for (var entry in baseJson.entries) {
-      var key = entry.key;
+    for (final entry in baseJson.entries) {
+      final key = entry.key;
       var value = entry.value;
 
       if (value is String && value.startsWith(':/')) {
-        String filePath = value.substring(2);
+        final rawPath = value.substring(2).trim();
+        // Normalize and reject traversal
+        final normalizedPath = rawPath.replaceAll(RegExp(r'^[\\/]+'), '');
+        if (normalizedPath.contains('..')) {
+          throw FormatException('Invalid linked file path "$rawPath" for key "$key".');
+        }
+        final linkedAssetPath = _getLinkedLocalePath(basePath, normalizedPath, locale);
 
-        if (fileLoaded.contains(filePath)) {
-          throw Exception('Circular reference detected: $filePath is loaded multiple times');
+        if (visited.contains(linkedAssetPath)) {
+          throw StateError('Cyclic linked files detected at "$linkedAssetPath" (key: "$key").');
         }
 
-        fileLoaded.add(filePath);
-        value = json.decode(await rootBundle.loadString(_getLinkedLocalePath(basePath, filePath, locale)));
+        final Map<String, dynamic> linkedJson = cache[linkedAssetPath] ??
+            (cache[linkedAssetPath] =
+                (json.decode(await rootBundle.loadString(linkedAssetPath)) as Map<String, dynamic>));
+
+        visited.add(linkedAssetPath);
+        try {
+          value = await _getLinkedTranslationFileDataFromBaseJson(
+            basePath,
+            locale,
+            linkedJson,
+            visited: visited,
+            cache: cache,
+            depth: depth + 1,
+          );
+        } finally {
+          visited.remove(linkedAssetPath);
+        }
       }
 
       if (value is Map<String, dynamic>) {
-        fullJson[key] =
-            await _getLinkedTranslationFileDataFromBaseJson(basePath, locale, value, fileLoaded: fileLoaded);
+        fullJson[key] = await _getLinkedTranslationFileDataFromBaseJson(
+          basePath,
+          locale,
+          value,
+          visited: visited,
+          cache: cache,
+          depth: depth + 1,
+        );
       }
     }
 
@@ -69,6 +108,12 @@ class RootBundleAssetLoader extends AssetLoader {
     EasyLocalization.logger.debug('Load asset from $path');
 
     Map<String, dynamic> baseJson = json.decode(await rootBundle.loadString(localePath));
-    return await _getLinkedTranslationFileDataFromBaseJson(path, locale, baseJson);
+    return await _getLinkedTranslationFileDataFromBaseJson(
+      path,
+      locale,
+      baseJson,
+      visited: <String>{},
+      cache: <String, Map<String, dynamic>>{},
+    );
   }
 }
