From 37802034ae6f3b654bcf3b62b7843c1f15c14ffe Mon Sep 17 00:00:00 2001
From: Joey Perrott <josephperrott@gmail.com>
Date: Thu, 4 Jun 2026 15:45:39 +0000
Subject: [PATCH 1/2] fix(ng-dev): prevent arbitrary file write via symlink

---
 .../rules_angular/src/optimization/index.bzl  | 19 +++++++++++++++++++
 .../src/optimization/optimize.sh              |  2 +-
 2 files changed, 20 insertions(+), 1 deletion(-)

diff --git a/bazel/rules/rules_angular/src/optimization/index.bzl b/bazel/rules/rules_angular/src/optimization/index.bzl
index 6aa692ac17..ef59233c42 100644
--- a/bazel/rules/rules_angular/src/optimization/index.bzl
+++ b/bazel/rules/rules_angular/src/optimization/index.bzl
@@ -19,11 +19,30 @@ def optimize_angular_app(
         root_paths = [""],
     )
 
+    native.genrule(
+        name = "_%s_check_symlinks" % name,
+        srcs = srcs,
+        outs = ["_%s_check_symlinks_passed.txt" % name],
+        cmd = """
+            for f in $(SRCS) ""; do
+                if [ -z "$$f" ]; then continue; fi
+                target=$$(readlink "$$f" || true)
+                if [ -n "$$target" ] && [ -h "$$target" ]; then
+                    echo "Security violation: Symbolic links are not permitted in user input. ($$f)" >&2
+                    exit 1
+                fi
+            done
+            touch $@
+        """,
+        tags = ["manual"],
+    )
+
     run_binary(
         name = "_%s_build" % name,
         tool = "@rules_angular//src/optimization:optimize",
         tags = ["manual"],
         srcs = [
+            ":_%s_check_symlinks" % name,
             ":_%s_package" % name,
             "@yq_toolchains//:resolved_toolchain",
             "@rules_angular//src/optimization/boilerplate",
diff --git a/bazel/rules/rules_angular/src/optimization/optimize.sh b/bazel/rules/rules_angular/src/optimization/optimize.sh
index 6e3caab253..fb9fcbefd7 100755
--- a/bazel/rules/rules_angular/src/optimization/optimize.sh
+++ b/bazel/rules/rules_angular/src/optimization/optimize.sh
@@ -21,7 +21,7 @@ NG_CLI_TOOL="$RUNFILES/$NG_CLI_TOOL_RUNFILES_PATH"
 cp -Rf -L $BOILERPLATE_DIR/* $OUT_DIR
 
 # Copy user files.
-cp -Rf -L $INPUT_PACKAGE/* $OUT_DIR/src/
+cp -Rf $INPUT_PACKAGE/* $OUT_DIR/src/
 
 # Prepare for `angular.json` to be modified below.
 unlink $OUT_DIR/angular.json

From 2963ebb5410d459e98fd59d3206376114bec3d5c Mon Sep 17 00:00:00 2001
From: Joey Perrott <josephperrott@gmail.com>
Date: Thu, 4 Jun 2026 21:58:38 +0000
Subject: [PATCH 2/2] fix(ng-dev): properly handle relative symlinks in
 security check

---
 bazel/rules/rules_angular/src/optimization/index.bzl | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/bazel/rules/rules_angular/src/optimization/index.bzl b/bazel/rules/rules_angular/src/optimization/index.bzl
index ef59233c42..de793e0022 100644
--- a/bazel/rules/rules_angular/src/optimization/index.bzl
+++ b/bazel/rules/rules_angular/src/optimization/index.bzl
@@ -27,9 +27,15 @@ def optimize_angular_app(
             for f in $(SRCS) ""; do
                 if [ -z "$$f" ]; then continue; fi
                 target=$$(readlink "$$f" || true)
-                if [ -n "$$target" ] && [ -h "$$target" ]; then
-                    echo "Security violation: Symbolic links are not permitted in user input. ($$f)" >&2
-                    exit 1
+                if [ -n "$$target" ]; then
+                    case "$$target" in
+                        /*) ;;
+                        *) target="$$(dirname "$$f")/$$target" ;;
+                    esac
+                    if [ -h "$$target" ]; then
+                        echo "Security violation: Symbolic links are not permitted in user input. ($$f)" >&2
+                        exit 1
+                    fi
                 fi
             done
             touch $@