@brilab-mailer/template-handlebars 0.0.5-5 → 0.1.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/lib/handlebars-template.engine.d.ts +5 -0
  2. package/lib/handlebars-template.engine.d.ts.map +1 -1
  3. package/lib/handlebars-template.engine.js +14 -2
  4. package/package.json +3 -3
package/lib/handlebars-template.engine.d.ts CHANGED
@@ -14,6 +14,11 @@ export declare class HandlebarsTemplateEngine implements MailerTemplateEngine {
14
14
  constructor(options: HandlebarsConfig);
15
15
  private registerI18nHelpers;
16
16
  private registerPartialsHelpers;
17
+ /**
18
+ * Resolves `<baseDir>/<key>.hbs` and guarantees the result stays inside
19
+ * `baseDir`, rejecting path-traversal keys like `../../etc/passwd`.
20
+ */
21
+ private resolveWithin;
17
22
  private loadTemplate;
18
23
  private loadLayout;
19
24
  render(templateKey: string, context?: Record<string, any>, options?: {
package/lib/handlebars-template.engine.d.ts.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"file":"handlebars-template.engine.d.ts","sourceRoot":"","sources":["../../src/lib/handlebars-template.engine.ts"],"names":[],"mappings":"AACA,OAAO,EAEN,oBAAoB,EACpB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EACX,sCAAsC,EACtC,MAAM,0BAA0B,CAAC;AAMlC,UAAU,gBACT,SAAQ,sCAAsC;CAC9C;AAED,qBACa,wBAAyB,YAAW,oBAAoB;IAanE,OAAO,CAAC,QAAQ,CAAC,OAAO;IAZzB,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAuB;IAE3C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;IAClC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAkD;IAChF,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAkD;IAE9E,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;gBAInB,OAAO,EAAE,gBAAgB;IAoB3C,OAAO,CAAC,mBAAmB;IAqB3B,OAAO,CAAC,uBAAuB;IAkC/B,OAAO,CAAC,YAAY;IAapB,OAAO,CAAC,UAAU;IAaZ,MAAM,CACX,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAM,EACjC,OAAO,GAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAA6B,GACxD,OAAO,CAAC,MAAM,CAAC;CAYlB"}
1
+ {"version":3,"file":"handlebars-template.engine.d.ts","sourceRoot":"","sources":["../../src/lib/handlebars-template.engine.ts"],"names":[],"mappings":"AACA,OAAO,EAEN,oBAAoB,EACpB,MAAM,0BAA0B,CAAC;AAClC,OAAO,KAAK,EACX,sCAAsC,EACtC,MAAM,0BAA0B,CAAC;AAMlC,UAAU,gBACT,SAAQ,sCAAsC;CAC9C;AAED,qBACa,wBAAyB,YAAW,oBAAoB;IAanE,OAAO,CAAC,QAAQ,CAAC,OAAO;IAZzB,OAAO,CAAC,QAAQ,CAAC,GAAG,CAAuB;IAE3C,OAAO,CAAC,QAAQ,CAAC,OAAO,CAAU;IAClC,OAAO,CAAC,QAAQ,CAAC,aAAa,CAAkD;IAChF,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAkD;IAE9E,OAAO,CAAC,QAAQ,CAAC,YAAY,CAAS;IACtC,OAAO,CAAC,QAAQ,CAAC,UAAU,CAAS;IACpC,OAAO,CAAC,QAAQ,CAAC,WAAW,CAAS;gBAInB,OAAO,EAAE,gBAAgB;IAoB3C,OAAO,CAAC,mBAAmB;IAqB3B,OAAO,CAAC,uBAAuB;IAkC/B;;;OAGG;IACH,OAAO,CAAC,aAAa;IASrB,OAAO,CAAC,YAAY;IAapB,OAAO,CAAC,UAAU;IAaZ,MAAM,CACX,WAAW,EAAE,MAAM,EACnB,OAAO,GAAE,MAAM,CAAC,MAAM,EAAE,GAAG,CAAM,EACjC,OAAO,GAAE;QAAE,SAAS,CAAC,EAAE,MAAM,CAAA;KAA6B,GACxD,OAAO,CAAC,MAAM,CAAC;CAYlB"}
package/lib/handlebars-template.engine.js CHANGED
@@ -75,10 +75,22 @@ let HandlebarsTemplateEngine = class HandlebarsTemplateEngine {
75
75
  };
76
76
  registerRecursive(partialsPath);
77
77
  }
78
+ /**
79
+ * Resolves `<baseDir>/<key>.hbs` and guarantees the result stays inside
80
+ * `baseDir`, rejecting path-traversal keys like `../../etc/passwd`.
81
+ */
82
+ resolveWithin(baseDir, key) {
83
+ const root = path.resolve(baseDir);
84
+ const filePath = path.resolve(root, `${key}.hbs`);
85
+ if (filePath !== root && !filePath.startsWith(root + path.sep)) {
86
+ throw new Error(`Invalid template key (path traversal): ${key}`);
87
+ }
88
+ return filePath;
89
+ }
78
90
  loadTemplate(key) {
79
91
  if (this._cached && this.templateCache.has(key))
80
92
  return this.templateCache.get(key);
81
- const filePath = path.join(this.templatesDir, `${key}.hbs`);
93
+ const filePath = this.resolveWithin(this.templatesDir, key);
82
94
  if (!fs.existsSync(filePath)) {
83
95
  throw new Error(`Template not found: ${filePath}`);
84
96
  }
@@ -90,7 +102,7 @@ let HandlebarsTemplateEngine = class HandlebarsTemplateEngine {
90
102
  loadLayout(key) {
91
103
  if (this._cached && this.layoutCache.has(key))
92
104
  return this.layoutCache.get(key);
93
- const filePath = path.join(this.layoutsDir, `${key}.hbs`);
105
+ const filePath = this.resolveWithin(this.layoutsDir, key);
94
106
  if (!fs.existsSync(filePath))
95
107
  return null;
96
108
  const source = fs.readFileSync(filePath, 'utf8');
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@brilab-mailer/template-handlebars",
3
- "version": "0.0.5-5",
3
+ "version": "0.1.0",
4
4
  "author": "Bohdan Radchenko <radchenkobs@gmail.com>",
5
5
  "type": "module",
6
6
  "main": "./index.js",
@@ -26,8 +26,8 @@
26
26
  "peerDependencies": {
27
27
  "@nestjs/common": "^10.0.0",
28
28
  "@nestjs/config": "^3.0.0",
29
- "@brilab-mailer/contracts": "^0.0.5-5",
30
- "@brilab-mailer/core": "^0.0.5-5"
29
+ "@brilab-mailer/contracts": "^0.1.0",
30
+ "@brilab-mailer/core": "^0.1.0"
31
31
  },
32
32
  "peerDependenciesMeta": {
33
33
  "@brilab-mailer/contracts": {