From fe4087aeafb006c32159af9c67ba78c8dd1435c9 Mon Sep 17 00:00:00 2001
From: Charly Gomez <charly.gomez@sentry.io>
Date: Mon, 9 Mar 2026 13:50:08 +0100
Subject: [PATCH] fix(sveltekit): Fix TOCTOU file system race condition in
 source map cleaning

Replace `existsSync` guard with try/catch around read+write operations
to eliminate the time-of-check to time-of-use race condition (CWE-367)
flagged by CodeQL (code-scanning alert #439).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 packages/sveltekit/src/vite/sourceMaps.ts | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/packages/sveltekit/src/vite/sourceMaps.ts b/packages/sveltekit/src/vite/sourceMaps.ts
index 7b34bcc0efc7..52f72bac3e52 100644
--- a/packages/sveltekit/src/vite/sourceMaps.ts
+++ b/packages/sveltekit/src/vite/sourceMaps.ts
@@ -213,7 +213,7 @@ export async function makeCustomSentryVitePlugins(
         // We need to remove the query string from the source map files that our auto-instrument plugin added
         // to proxy the load functions during building.
         const mapFile = `${file}.map`;
-        if (fs.existsSync(mapFile)) {
+        try {
           const mapContent = (await fs.promises.readFile(mapFile, 'utf-8')).toString();
           const cleanedMapContent = mapContent.replace(
             // oxlint-disable-next-line sdk/no-regexp-constructor -- no user input + escaped anyway
@@ -221,6 +221,8 @@ export async function makeCustomSentryVitePlugins(
             '',
           );
           await fs.promises.writeFile(mapFile, cleanedMapContent);
+        } catch {
+          // Map file doesn't exist, nothing to clean
         }
       }