@backstage/plugin-techdocs-node 1.12.11-next.2 → 1.12.12-next.0

package/CHANGELOG.md

@@ -1,5 +1,39 @@
 # @backstage/plugin-techdocs-node
 
+## 1.12.12-next.0
+
+### Patch Changes
+
+- Updated dependencies
+  - @backstage/backend-plugin-api@1.0.1-next.0
+  - @backstage/catalog-model@1.7.0
+  - @backstage/config@1.2.0
+  - @backstage/errors@1.2.4
+  - @backstage/integration@1.15.0
+  - @backstage/integration-aws-node@0.1.12
+  - @backstage/plugin-search-common@1.2.14
+  - @backstage/plugin-techdocs-common@0.1.0
+
+## 1.12.11
+
+### Patch Changes
+
+- f715f5c: Move `TechdocsContainerRunner` from `publish` to `generate`.
+- 4417dd4: Fix typo and unify TechDocs casing in doc strings
+- 57da51f: Add support for mapping custom tags in the techdocs yaml parser that validates the mkdocs.yaml file
+- c2b63ab: Updated dependency `supertest` to `^7.0.0`.
+- 3606843: Internal fixes to match `testcontainers` update
+- 33ebb28: As the `@backstage/backend-common` package is deprecated, we have updated the `techdocs-node` package to stop depending on it.
+- Updated dependencies
+  - @backstage/backend-plugin-api@1.0.0
+  - @backstage/catalog-model@1.7.0
+  - @backstage/integration@1.15.0
+  - @backstage/config@1.2.0
+  - @backstage/errors@1.2.4
+  - @backstage/integration-aws-node@0.1.12
+  - @backstage/plugin-search-common@1.2.14
+  - @backstage/plugin-techdocs-common@0.1.0
+
 ## 1.12.11-next.2
 
 ### Patch Changes

package/dist/index.cjs.js

@@ -47,7 +47,29 @@ var os__default = /*#__PURE__*/_interopDefaultCompat(os);
 
 const getContentTypeForExtension = (ext) => {
   const defaultContentType = "text/plain; charset=utf-8";
-  if (ext.match(/htm|xml|svg/i)) {
+  const excludedTypes = [
+    "text/html",
+    "text/xml",
+    "image/svg+xml",
+    "text/xsl",
+    "application/vnd.wap.xhtml+xml",
+    "multipart/x-mixed-replace",
+    "text/rdf",
+    "application/mathml+xml",
+    "application/octet-stream",
+    "application/rdf+xml",
+    "application/xhtml+xml",
+    "application/xml",
+    "text/cache-manifest",
+    "text/vtt"
+  ];
+  if (ext.match(
+    /htm|xml|svg|appcache|manifest|mathml|owl|rdf|rng|vtt|xht|xsd|xsl/i
+  )) {
+    return defaultContentType;
+  }
+  const contentType = mime__default.default.lookup(ext);
+  if (contentType && excludedTypes.includes(contentType)) {
     return defaultContentType;
   }
   return mime__default.default.contentType(ext) || defaultContentType;
@@ -126,6 +148,15 @@ const bulkStorageOperation = async (operation, args, { concurrencyLimit } = { co
   const limiter = createLimiter__default.default(concurrencyLimit);
   await Promise.all(args.map((arg) => limiter(operation, arg)));
 };
+const isValidContentPath = (bucketRoot, contentPath) => {
+  const relativePath = path__default.default.posix.relative(bucketRoot, contentPath);
+  if (relativePath === "") {
+    return true;
+  }
+  const outsideBase = relativePath.startsWith("..");
+  const differentDrive = path__default.default.posix.isAbsolute(relativePath);
+  return !outsideBase && !differentDrive;
+};
 
 function getGeneratorKey(entity) {
   if (!entity) {
@@ -1164,6 +1195,12 @@ class AwsS3Publish {
         const entityTriplet = `${entityName.namespace}/${entityName.kind}/${entityName.name}`;
         const entityDir = this.legacyPathCasing ? entityTriplet : lowerCaseEntityTriplet(entityTriplet);
         const entityRootDir = path__default.default.posix.join(this.bucketRootPath, entityDir);
+        if (!isValidContentPath(this.bucketRootPath, entityRootDir)) {
+          this.logger.error(
+            `Invalid content path found while fetching TechDocs metadata: ${entityRootDir}`
+          );
+          throw new Error(`Metadata Not Found`);
+        }
         try {
           const resp = await this.storageClient.send(
             new clientS3.GetObjectCommand({
@@ -1201,6 +1238,13 @@ class AwsS3Publish {
       const decodedUri = decodeURI(req.path.replace(/^\//, ""));
       const filePathNoRoot = this.legacyPathCasing ? decodedUri : lowerCaseEntityTripletInStoragePath(decodedUri);
       const filePath = path__default.default.posix.join(this.bucketRootPath, filePathNoRoot);
+      if (!isValidContentPath(this.bucketRootPath, filePath)) {
+        this.logger.error(
+          `Attempted to fetch TechDocs content for a file outside of the bucket root: ${filePathNoRoot}`
+        );
+        res.status(404).send("File Not Found");
+        return;
+      }
       const fileExtension = path__default.default.extname(filePath);
       const responseHeaders = getHeadersForFileExtension(fileExtension);
       try {
@@ -1231,6 +1275,12 @@ class AwsS3Publish {
       const entityTriplet = `${entity.metadata.namespace}/${entity.kind}/${entity.metadata.name}`;
       const entityDir = this.legacyPathCasing ? entityTriplet : lowerCaseEntityTriplet(entityTriplet);
       const entityRootDir = path__default.default.posix.join(this.bucketRootPath, entityDir);
+      if (!isValidContentPath(this.bucketRootPath, entityRootDir)) {
+        this.logger.error(
+          `Invalid content path found while checking if docs have been generated: ${entityRootDir}`
+        );
+        return Promise.resolve(false);
+      }
       await this.storageClient.send(
         new clientS3.HeadObjectCommand({
           Bucket: this.bucketName,
@@ -1843,6 +1893,12 @@ class GoogleGCSPublish {
       const entityTriplet = `${entityName.namespace}/${entityName.kind}/${entityName.name}`;
       const entityDir = this.legacyPathCasing ? entityTriplet : lowerCaseEntityTriplet(entityTriplet);
       const entityRootDir = path__default.default.posix.join(this.bucketRootPath, entityDir);
+      if (!isValidContentPath(this.bucketRootPath, entityRootDir)) {
+        this.logger.error(
+          `Invalid content path found while fetching TechDocs metadata: ${entityRootDir}`
+        );
+        reject(new Error(`Metadata Not Found`));
+      }
       const fileStreamChunks = [];
       this.storageClient.bucket(this.bucketName).file(`${entityRootDir}/techdocs_metadata.json`).createReadStream().on("error", (err) => {
         this.logger.error(err.message);
@@ -1863,6 +1919,13 @@ class GoogleGCSPublish {
       const decodedUri = decodeURI(req.path.replace(/^\//, ""));
       const filePathNoRoot = this.legacyPathCasing ? decodedUri : lowerCaseEntityTripletInStoragePath(decodedUri);
       const filePath = path__default.default.posix.join(this.bucketRootPath, filePathNoRoot);
+      if (!isValidContentPath(this.bucketRootPath, filePath)) {
+        this.logger.error(
+          `Attempted to fetch TechDocs content for a file outside of the bucket root: ${filePathNoRoot}`
+        );
+        res.status(404).send("File Not Found");
+        return;
+      }
       const fileExtension = path__default.default.extname(filePath);
       const responseHeaders = getHeadersForFileExtension(fileExtension);
       this.storageClient.bucket(this.bucketName).file(filePath).createReadStream().on("pipe", () => {
@@ -1888,6 +1951,12 @@ class GoogleGCSPublish {
       const entityTriplet = `${entity.metadata.namespace}/${entity.kind}/${entity.metadata.name}`;
       const entityDir = this.legacyPathCasing ? entityTriplet : lowerCaseEntityTriplet(entityTriplet);
       const entityRootDir = path__default.default.posix.join(this.bucketRootPath, entityDir);
+      if (!isValidContentPath(this.bucketRootPath, entityRootDir)) {
+        this.logger.error(
+          `Invalid content path found while checking if docs have been generated: ${entityRootDir}`
+        );
+        resolve(false);
+      }
       this.storageClient.bucket(this.bucketName).file(`${entityRootDir}/index.html`).exists().then((response) => {
         resolve(response[0]);
       }).catch(() => {