npm - @character-foundry/character-foundry - Versions diffs - 0.4.2-dev.1765942273 → 0.4.2-dev.1765997746 - Mend

@character-foundry/character-foundry 0.4.2-dev.1765942273 → 0.4.2-dev.1765997746

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (37) hide show

package/dist/index.js CHANGED Viewed

@@ -1339,36 +1339,6 @@ var SAFE_ASSET_TYPES = /* @__PURE__ */ new Set([
   "data",
   "unknown"
 ]);
-var SAFE_EXTENSIONS = /* @__PURE__ */ new Set([
-  // Images
-  "png",
-  "jpg",
-  "jpeg",
-  "webp",
-  "gif",
-  "avif",
-  "svg",
-  "bmp",
-  "ico",
-  // Audio
-  "mp3",
-  "wav",
-  "ogg",
-  "flac",
-  "m4a",
-  "aac",
-  "opus",
-  // Video
-  "mp4",
-  "webm",
-  "avi",
-  "mov",
-  "mkv",
-  // Data
-  "json",
-  "txt",
-  "bin"
-]);
 function getCharxCategory(mimetype) {
   if (mimetype.startsWith("image/")) return "images";
   if (mimetype.startsWith("audio/")) return "audio";
@@ -1384,11 +1354,20 @@ function sanitizeAssetType(type) {
   return sanitized || "custom";
 }
 function sanitizeExtension(ext) {
-  const normalized = ext.replace(/^\./, "").toLowerCase().replace(/[^a-z0-9]/g, "");
-  if (SAFE_EXTENSIONS.has(normalized)) {
-    return normalized;
+  const normalized = ext.trim().replace(/^\./, "").toLowerCase();
+  if (!normalized) {
+    throw new Error("Invalid asset extension: empty extension");
+  }
+  if (normalized.length > 64) {
+    throw new Error(`Invalid asset extension: too long (${normalized.length} chars)`);
+  }
+  if (normalized.includes("/") || normalized.includes("\\") || normalized.includes("\0")) {
+    throw new Error("Invalid asset extension: path separators are not allowed");
+  }
+  if (!/^[a-z0-9][a-z0-9._-]*$/.test(normalized)) {
+    throw new Error(`Invalid asset extension: "${ext}"`);
   }
-  return "bin";
+  return normalized;
 }
 function sanitizeName(name, ext) {
   let safeName = name;
@@ -8170,6 +8149,22 @@ function sanitizeName2(name, ext) {
   if (!safeName) safeName = "asset";
   return safeName;
 }
+function sanitizeExtension2(ext) {
+  const normalized = ext.trim().replace(/^\./, "").toLowerCase();
+  if (!normalized) {
+    throw new Error("Invalid asset extension: empty extension");
+  }
+  if (normalized.length > 64) {
+    throw new Error(`Invalid asset extension: too long (${normalized.length} chars)`);
+  }
+  if (normalized.includes("/") || normalized.includes("\\") || normalized.includes("\0")) {
+    throw new Error("Invalid asset extension: path separators are not allowed");
+  }
+  if (!/^[a-z0-9][a-z0-9._-]*$/.test(normalized)) {
+    throw new Error(`Invalid asset extension: "${ext}"`);
+  }
+  return normalized;
+}
 function writeVoxta(card, assets, options = {}) {
   const { compressionLevel = 6, includePackageJson = false } = options;
   const cardData = card.data;
@@ -8258,8 +8253,9 @@ function writeVoxta(card, assets, options = {}) {
   let assetCount = 0;
   let mainThumbnail;
   for (const asset of assets) {
-    const safeName = sanitizeName2(asset.name, asset.ext);
-    const finalFilename = `${safeName}.${asset.ext}`;
+    const safeExt = sanitizeExtension2(asset.ext);
+    const safeName = sanitizeName2(asset.name, safeExt);
+    const finalFilename = `${safeName}.${safeExt}`;
     let voxtaPath = "";
     const tags = asset.tags || [];
     const isMainIcon = asset.type === "icon" && (tags.includes("portrait-override") || asset.name === "main" || asset.isMain);