wikiwiki 0.6.0 → 0.7.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bc13d22d549b9398dc6573d2731c7c1169fe70a1626f80d9f9b650116deb162c
-  data.tar.gz: 1495f98f015f7494f7355a76f377f42d082a72e92a4679438b2d8822f6294f91
+  metadata.gz: 637f781de0cde55bb67c79d67624df9cc4255bac9e35e6b144fc6170d34b1d5d
+  data.tar.gz: 3155651131252d9e84260584fb3f7dcd6c21ffd52ac48fe16da2b605ac1948ae
 SHA512:
-  metadata.gz: ad6ac01ea174e040f151f74d04504314bb4885abb0e66cc915debddee70f5d6ad3de402def7c693ae52c3ba8f1f3dd9fe8497befbb3c736ae5e79d86e79ed56a
-  data.tar.gz: 0351abf501fed5484cc1b9606610d3ed3fbc789064a11384470ee7c7abd07115c27f315568d42a4ab4ead63f5be05473bef832cfdc350afdfa04c90e76774a68
+  metadata.gz: e5a8ce9a48d65aa95d7334289e5966a72228f9da9adc22799ac7ef63de802f463e882e5aec90e784d35f8411688ec24af6ddd9b9b14702a6988c61fc4d7a1357
+  data.tar.gz: 432bc7bfc745d96b4fcb00e296dbb3fb96ebe34a8bd9d6b06042054e633ca12a7863ce6a1d77bb638f81232258b5400102ed04fd02d65a8693735576bd0cea6c

data/CHANGELOG.md

@@ -1,5 +1,27 @@
 ## [Unreleased]
 
+## [0.7.1] - 2025-11-03
+
+### Documentation
+
+- Added security notes to README about path traversal risks when using API-provided names in bulk download automation scripts
+
+## [0.7.0] - 2025-11-03
+
+### Added
+
+- Page deletion support
+  - `Wiki#delete_page` method to delete pages
+  - `wikiwiki page delete` command in CLI
+  - Validation in `Wiki#update_page` and `wikiwiki page put` to prevent accidental deletion with empty content
+- `ConflictError` exception class for HTTP 409 Conflict responses
+
+### Changed
+
+- `attachment put --force` behavior: attempts upload first, then deletes and retries on conflict (409 error)
+  - Previously: checked existence first, then deleted and uploaded
+  - Now: optimistic upload pattern eliminates Time-of-Check-Time-of-Use (TOCTOU) race conditions
+
 ## [0.6.0] - 2025-11-02
 
 ### Added

data/README.ja.md

@@ -87,6 +87,9 @@ wikiwiki page get FrontPage frontpage.txt
 wikiwiki page put TestPage < content.txt
 wikiwiki page put TestPage content.txt
 
+# ページを削除
+wikiwiki page delete TestPage
+
 # 添付ファイル一覧
 wikiwiki attachment list FrontPage
 
@@ -109,8 +112,9 @@ wikiwiki page get FrontPage existing.txt --force
 wikiwiki attachment put FrontPage logo.png --force
 
 # 注意: --force による添付ファイルの上書きはアトミックではありません。
-# 既存の添付ファイルを削除してから新しいファイルをアップロードします。
-# アップロードに失敗した場合、添付ファイルは失われます。
+# まずアップロードを試み、競合エラー（ファイルが既に存在）が発生した場合、
+# 既存ファイルを削除してアップロードをリトライします。
+# リトライに失敗した場合、添付ファイルは失われます。
 
 # コマンドラインで認証情報を指定（環境変数より優先）
 wikiwiki --wiki-id=your-wiki-id --password=your-password page list
@@ -126,6 +130,23 @@ wikiwiki page list --verbose
 wikiwiki page list --debug
 ```
 
+**一括ダウンロード時のセキュリティ注意:**
+
+APIから取得したページ名や添付ファイル名を使用してページや添付ファイルを一括ダウンロードする自動化処理を行う場合、これらの名前にパストラバーサルシーケンス（例：`../../../etc/passwd`）が含まれている可能性があることに注意してください。ファイルパスとして使用する前に、必ず検証またはサニタイズを行ってください：
+
+```bash
+# 悪い例: シェルスクリプトでAPIから取得した名前を直接使用
+for name in $(wikiwiki page list --json | jq -r '.[]'); do
+  wikiwiki page get "$name" "$name.txt"  # 安全でない: nameに../が含まれる可能性
+done
+
+# 良い例: 自動化スクリプト内で名前をサニタイズ
+for name in $(wikiwiki page list --json | jq -r '.[]'); do
+  safe_name=$(basename "$name")  # ディレクトリ成分を削除
+  wikiwiki page get "$name" "$safe_name.txt"
+done
+```
+
 ### Rubyライブラリ
 
 ライブラリを使用する基本的な例：
@@ -160,6 +181,9 @@ wiki.update_page(page_name: "TestPage", source: <<~SOURCE)
   # Hello World
 SOURCE
 
+# ページを削除
+wiki.delete_page(page_name: "TestPage")
+
 # 添付ファイル名の一覧を取得
 attachment_names = wiki.attachment_names(page_name: "FrontPage")
 

data/README.md

@@ -87,6 +87,9 @@ wikiwiki page get FrontPage frontpage.txt
 wikiwiki page put TestPage < content.txt
 wikiwiki page put TestPage content.txt
 
+# Delete page
+wikiwiki page delete TestPage
+
 # List attachments
 wikiwiki attachment list FrontPage
 
@@ -109,8 +112,9 @@ wikiwiki page get FrontPage existing.txt --force
 wikiwiki attachment put FrontPage logo.png --force
 
 # Note: Attachment overwrite with --force is not atomic.
-# The existing attachment is deleted before uploading the new one.
-# If the upload fails, the attachment will be lost.
+# First attempts to upload; if it fails due to conflict (file exists),
+# deletes the existing file and retries the upload.
+# If retry fails, the attachment will be lost.
 
 # Authentication via command line (overrides environment variables)
 wikiwiki --wiki-id=your-wiki-id --password=your-password page list
@@ -126,6 +130,23 @@ wikiwiki page list --verbose
 wikiwiki page list --debug
 ```
 
+**Security Note for Bulk Downloads:**
+
+When automating bulk downloads of pages or attachments using page/attachment names from the API, be aware that these names may contain path traversal sequences (e.g., `../../../etc/passwd`). Always validate or sanitize names before using them as file paths:
+
+```bash
+# Bad: Direct use of API-provided names in shell scripts
+for name in $(wikiwiki page list --json | jq -r '.[]'); do
+  wikiwiki page get "$name" "$name.txt"  # UNSAFE if name contains ../
+done
+
+# Good: Sanitize names in your automation script
+for name in $(wikiwiki page list --json | jq -r '.[]'); do
+  safe_name=$(basename "$name")  # Remove directory components
+  wikiwiki page get "$name" "$safe_name.txt"
+done
+```
+
 ### Ruby Library
 
 Basic example using the library:
@@ -160,6 +181,9 @@ wiki.update_page(page_name: "TestPage", source: <<~SOURCE)
   # Hello World
 SOURCE
 
+# Delete a page
+wiki.delete_page(page_name: "TestPage")
+
 # List attachment names
 attachment_names = wiki.attachment_names(page_name: "FrontPage")
 

data/lib/wikiwiki/api.rb

@@ -62,6 +62,7 @@ module Wikiwiki
     # @param source [String] the page source content
     # @return [void]
     # @raise [Error] if request fails
+    # @note Passing an empty string as source will delete the page
     def put_page(encoded_page_name:, source:)
       uri = BASE_URL + "/#{wiki_id}/page/#{encoded_page_name}"
       response = request(:put, uri, body: {"source" => source})
@@ -171,6 +172,7 @@ module Wikiwiki
     # @return [Hash] parsed response body
     # @raise [AuthenticationError] if authentication fails (401)
     # @raise [ResourceNotFoundError] if resource not found (404)
+    # @raise [ConflictError] if conflict occurs (409)
     # @raise [ServerError] if server error (5xx)
     # @raise [APIError] if other API request fails
     private def parse_json_response(response)
@@ -181,6 +183,8 @@ module Wikiwiki
           raise AuthenticationError, message
         when 404
           raise ResourceNotFoundError, message
+        when 409
+          raise ConflictError, message
         when 500..599
           raise ServerError, message
         else

data/lib/wikiwiki/cli/commands/attachment/delete.rb

@@ -21,24 +21,10 @@ module Wikiwiki
           def call(page_name:, file_name:, out: $stdout, err: $stderr, **)
             wiki = create_wiki(out:, err:, **)
 
-            # Check if page exists first
-            unless page_exists?(wiki, page_name:)
-              raise ArgumentError, "Page '#{page_name}' does not exist"
-            end
-
-            # Check if attachment exists
-            unless attachment_exists?(wiki, page_name:, attachment_name: file_name)
-              raise ArgumentError, "Attachment '#{file_name}' does not exist on page '#{page_name}'"
-            end
-
             wiki.delete_attachment(page_name:, attachment_name: file_name)
 
             say("Attachment '#{file_name}' deleted from page '#{page_name}'", out:, **)
           end
-
-          private def page_exists?(wiki, page_name:) = wiki.page_names.include?(page_name)
-
-          private def attachment_exists?(wiki, page_name:, attachment_name:) = wiki.attachment_names(page_name:).include?(attachment_name)
         end
       end
 

data/lib/wikiwiki/cli/commands/attachment/put.rb

@@ -35,22 +35,17 @@ module Wikiwiki
               raise ArgumentError, "File size (#{content.bytesize} bytes) exceeds maximum allowed size (#{MAX_ATTACHMENT_SIZE} bytes / 512 KiB)"
             end
 
-            if attachment_exists?(wiki, page_name:, attachment_name:)
+            begin
+              wiki.add_attachment(page_name:, attachment_name:, content:)
+            rescue ConflictError
               raise ArgumentError, "Attachment '#{attachment_name}' already exists. Use --force to overwrite." unless force
 
-              begin
-                wiki.delete_attachment(page_name:, attachment_name:)
-              rescue ResourceNotFoundError
-                # Already deleted by another process, continue
-              end
+              wiki.delete_attachment(page_name:, attachment_name:)
+              retry
             end
 
-            wiki.add_attachment(page_name:, attachment_name:, content:)
-
             say("Attachment '#{attachment_name}' uploaded to page '#{page_name}'", out:, **)
           end
-
-          private def attachment_exists?(wiki, page_name:, attachment_name:) = wiki.attachment_names(page_name:).include?(attachment_name)
         end
       end
 

data/lib/wikiwiki/cli/commands/page/delete.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module Wikiwiki
+  class CLI
+    module Commands
+      module Page
+        # Delete a page
+        class Delete < Base
+          desc "Delete a page"
+
+          argument :page_name, required: true, desc: "Page name"
+
+          # Execute the delete command
+          #
+          # @param page_name [String] name of the page to delete
+          # @param out [IO] output stream
+          # @param err [IO] error stream
+          # @return [void]
+          def call(page_name:, out: $stdout, err: $stderr, **)
+            wiki = create_wiki(out:, err:, **)
+
+            wiki.delete_page(page_name:)
+
+            say("Page '#{page_name}' deleted successfully", out:, **)
+          end
+        end
+      end
+
+      register "page delete", Page::Delete
+    end
+  end
+end

data/lib/wikiwiki/cli/commands/page/put.rb

@@ -18,6 +18,8 @@ module Wikiwiki
           # @param out [IO] output stream
           # @param err [IO] error stream
           # @return [void]
+          # @raise [ArgumentError] if source content is empty
+          # @note To delete a page, use `wikiwiki page delete` instead
           def call(page_name:, input_file: nil, out: $stdout, err: $stderr, **)
             wiki = create_wiki(out:, err:, **)
 
@@ -27,6 +29,8 @@ module Wikiwiki
                        $stdin.read
                      end
 
+            raise ArgumentError, "Page source must not be empty. Use 'wikiwiki page delete' to delete a page." if source.empty?
+
             wiki.update_page(page_name:, source:)
 
             say("Page '#{page_name}' updated successfully", out:, **)

data/lib/wikiwiki/cli.rb

@@ -9,12 +9,10 @@ module Wikiwiki
   # Provides commands for managing wiki pages and attachments through the terminal.
   # Supports authentication via API key or password, with configurable logging and output modes.
   class CLI
-    # Run the CLI with given arguments
+    # Initialize the CLI with output streams
     #
-    # @param argv [Array<String>] command-line arguments
     # @param out [IO] standard output (defaults to $stdout)
     # @param err [IO] error output (defaults to $stderr)
-    # @return [Integer] exit code (0 for success, 1 for error)
     def initialize(out: $stdout, err: $stderr)
       @out = out
       @err = err

data/lib/wikiwiki/version.rb

@@ -2,6 +2,6 @@
 
 module Wikiwiki
   # The gem version
-  VERSION = "0.6.0"
+  VERSION = "0.7.1"
   public_constant :VERSION
 end

data/lib/wikiwiki/wiki.rb

@@ -70,14 +70,28 @@ module Wikiwiki
     # Updates a page with new content
     #
     # @param page_name [String] the name of the page to update
-    # @param source [String] the new page source content
+    # @param source [String] the new page source content (must not be empty)
     # @return [void]
+    # @raise [ArgumentError] if source is empty
     # @raise [Wikiwiki::Error] if the update fails
+    # @note To delete a page, use {#delete_page} instead
     def update_page(page_name:, source:)
+      raise ArgumentError, "Page source must not be empty. Use delete_page to delete a page." if source.empty?
+
       encoded_page_name = ERB::Util.url_encode(page_name)
       api.put_page(encoded_page_name:, source:)
     end
 
+    # Deletes a page
+    #
+    # @param page_name [String] the name of the page to delete
+    # @return [void]
+    # @raise [Wikiwiki::Error] if the deletion fails
+    def delete_page(page_name:)
+      encoded_page_name = ERB::Util.url_encode(page_name)
+      api.put_page(encoded_page_name:, source: "")
+    end
+
     # Retrieves attachment file names on a page
     #
     # @param page_name [String] the name of the page

data/lib/wikiwiki.rb

@@ -32,6 +32,10 @@ module Wikiwiki
   # Raised when HTTP status is 404
   class ResourceNotFoundError < APIError; end
 
+  # Conflict error
+  # Raised when HTTP status is 409
+  class ConflictError < APIError; end
+
   # Server error
   # Raised when HTTP status is 5xx
   class ServerError < APIError; end

data/sig/wikiwiki/cli/commands/attachment.rbs

@@ -65,10 +65,6 @@ module Wikiwiki
             ?verbose: bool,
             ?debug: bool
           ) -> void
-
-          private
-
-          def attachment_exists?: (Wiki wiki, page_name: String, attachment_name: String) -> bool
         end
 
         class Delete < Base
@@ -84,11 +80,6 @@ module Wikiwiki
             ?verbose: bool,
             ?debug: bool
           ) -> void
-
-          private
-
-          def page_exists?: (Wiki wiki, page_name: String) -> bool
-          def attachment_exists?: (Wiki wiki, page_name: String, attachment_name: String) -> bool
         end
       end
     end

data/sig/wikiwiki/cli/commands/page.rbs

@@ -61,6 +61,21 @@ module Wikiwiki
             ?debug: bool
           ) -> void
         end
+
+        class Delete < Base
+          def call: (
+            page_name: String,
+            ?out: IO,
+            ?err: IO,
+            ?wiki_id: String?,
+            ?api_key_id: String?,
+            ?secret: String?,
+            ?password: String?,
+            ?token: String?,
+            ?verbose: bool,
+            ?debug: bool
+          ) -> void
+        end
       end
     end
   end

data/sig/wikiwiki/wiki.rbs

@@ -14,6 +14,8 @@ module Wikiwiki
 
     def update_page: (page_name: String, source: String) -> void
 
+    def delete_page: (page_name: String) -> void
+
     def attachment_names: (page_name: String) -> Array[String]
 
     def attachment: (page_name: String, attachment_name: String, ?rev: String?) -> Attachment

data/sig/wikiwiki.rbs

@@ -19,6 +19,9 @@ module Wikiwiki
   class ResourceNotFoundError < APIError
   end
 
+  class ConflictError < APIError
+  end
+
   class ServerError < APIError
   end
 end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: wikiwiki
 version: !ruby/object:Gem::Version
-  version: 0.6.0
+  version: 0.7.1
 platform: ruby
 authors:
 - OZAWA Sakuro
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2025-11-02 00:00:00.000000000 Z
+date: 2025-11-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: base64
@@ -95,6 +95,7 @@ files:
 - lib/wikiwiki/cli/commands/attachment/show.rb
 - lib/wikiwiki/cli/commands/auth.rb
 - lib/wikiwiki/cli/commands/base.rb
+- lib/wikiwiki/cli/commands/page/delete.rb
 - lib/wikiwiki/cli/commands/page/get.rb
 - lib/wikiwiki/cli/commands/page/list.rb
 - lib/wikiwiki/cli/commands/page/put.rb