Which @angular/* package(s) are the source of the bug?

localize

Is this a regression?

No

Description

This was first submitted through the security disclosure form but was not deemed high enough to warrant an address, and I was asked to report it as a regular bug.

The localize-translate CLI tool uses the locale field from translation files to expand the {{LOCALE}} marker in the --outputPath pattern. The locale value is concatenated directly into the filesystem path without any validation, so a translation file with a locale like ../../escaped causes output to be written outside the configured output directory.

The root cause is in getOutputPathFn(), which builds the output path via simple string concatenation:

function getOutputPathFn(fs2, outputFolder) {
  const [pre, post] = outputFolder.split("{{LOCALE}}");
  return post === void 0
    ? (_locale, relativePath) => fs2.join(pre, relativePath)
    : (locale, relativePath) => fs2.join(pre + locale + post, relativePath);
}

locale is spliced into the path with no check for .., /, \, or any other non-locale characters. The resulting path is then passed to fs.writeFile(), which happily writes wherever the resolved path points.

When using the documented pattern -o dist/{{LOCALE}} and a translation file contains "locale": "../../escaped", the output resolves to ../escaped/ instead of staying inside dist/. This is unexpected -- developers rely on -o to confine all output to a specific directory, and the {{LOCALE}} marker is documented as expanding to a locale name (e.g. en, fr, de).

This affects all four write paths in the CLI: getOutputPathFn(), translateFile(), writeSourceFile(), and writeAssetFile().

Please provide a link to a minimal reproduction of the bug

No response

Please provide the exception or error you saw

Please provide the environment you discovered this bug in (run ng version)

Anything else?

No response