fix(@angular/cli): prevents using assets from outside the project

This is a security risk. Think reading things from the home directory.

Author: hansl

packages/@angular/cli/models/webpack-configs/common.ts

@@ -112,6 +112,12 @@ export function getCommonConfig(wco: WebpackConfigOptions) {
         }
       }
 
+      // Prevent asset configurations from reading files outside of the project.
+      if (!asset.input.startsWith(projectRoot)) {
+        const message = 'An asset cannot be read from a location outside the project.';
+        throw new SilentError(message);
+      }
+
       // Ensure trailing slash.
       if (isDirectory(path.resolve(asset.input))) {
         asset.input += '/';

tests/e2e/tests/build/assets.ts

@@ -55,6 +55,15 @@ export default function () {
     }))
     .then(() => expectToFail(() => ng('build')))
 
+    // This asset should also fail from reading from outside the project.
+    .then(() => updateJsonFile('.angular-cli.json', configJson => {
+      const app = configJson['apps'][0];
+      app['assets'] = [
+        { 'glob': '**/*', 'input': '/temp-folder/outside/of/project', 'output': 'temp' }
+      ];
+    }))
+    .then(() => expectToFail(() => ng('build')))
+
     // Add asset config in .angular-cli.json.
     .then(() => updateJsonFile('.angular-cli.json', configJson => {
       const app = configJson['apps'][0];