Bug
The Flatpak target uses appId directly when naming the generated manifest file, but it does not validate that the value is a valid reverse-DNS Flatpak application ID first.
That means a malformed value such as ../escape can escape the configured output directory when the manifest path is built, and a too-short value such as com.example is accepted even though it is not a usable Flatpak app ID.
Expected
Reject malformed appId values before writing manifest files or logging a ship action.
Reproduction
Add a pkg-flatpak config with appId: '../escape' and run the target build. The generated manifest path resolves outside the target outDir.
Bug
The Flatpak target uses
appIddirectly when naming the generated manifest file, but it does not validate that the value is a valid reverse-DNS Flatpak application ID first.That means a malformed value such as
../escapecan escape the configured output directory when the manifest path is built, and a too-short value such ascom.exampleis accepted even though it is not a usable Flatpak app ID.Expected
Reject malformed
appIdvalues before writing manifest files or logging a ship action.Reproduction
Add a pkg-flatpak config with
appId: '../escape'and run the target build. The generated manifest path resolves outside the targetoutDir.