@comet/cms-api 8.24.0 → 8.24.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"files.utils.d.ts","sourceRoot":"","sources":["../../src/file-utils/files.utils.ts"],"names":[],"mappings":"
|
|
1
|
+
{"version":3,"file":"files.utils.d.ts","sourceRoot":"","sources":["../../src/file-utils/files.utils.ts"],"names":[],"mappings":"AAaA,OAAO,EAAE,KAAK,eAAe,EAAE,MAAM,qBAAqB,CAAC;AAK3D,wBAAgB,eAAe,CAAC,QAAQ,EAAE,MAAM,EAAE,SAAS,EAAE,MAAM,GAAG,MAAM,CAG3E;AAED,eAAO,MAAM,sBAAsB,GAAI,MAAM,MAAM,EAAE,OAAO,MAAM,KAAG;IAAE,KAAK,EAAE,MAAM,CAAC;IAAC,GAAG,EAAE,MAAM,CAAC;IAAC,aAAa,EAAE,MAAM,CAAA;CAoBvH,CAAC;AAiBF,eAAO,MAAM,UAAU,GAAI,KAAK,MAAM,KAAG,OAaxC,CAAC;AAEF,eAAO,MAAM,oBAAoB,GAAU,MAAM,eAAe,kBAS/D,CAAC;AAEF,eAAO,MAAM,6BAA6B,GAAI,UAAU,MAAM,kCAW7D,CAAC;AAEF,wBAAsB,4BAA4B,CAAC,GAAG,EAAE,MAAM,GAAG,OAAO,CAAC,eAAe,CAAC,CA+BxF"}
|
|
@@ -48,10 +48,11 @@ Object.defineProperty(exports, "__esModule", { value: true });
|
|
|
48
48
|
exports.getValidExtensionsForMimetype = exports.removeMulterTempFile = exports.isValidSvg = exports.calculatePartialRanges = void 0;
|
|
49
49
|
exports.slugifyFilename = slugifyFilename;
|
|
50
50
|
exports.createFileUploadInputFromUrl = createFileUploadInputFromUrl;
|
|
51
|
-
const
|
|
51
|
+
const dompurify_1 = __importDefault(require("dompurify"));
|
|
52
52
|
const file_type_1 = __importDefault(require("file-type"));
|
|
53
53
|
const fs_1 = __importDefault(require("fs"));
|
|
54
54
|
const promises_1 = require("fs/promises");
|
|
55
|
+
const jsdom_1 = require("jsdom");
|
|
55
56
|
const mimedb = __importStar(require("mime-db"));
|
|
56
57
|
const os_1 = __importDefault(require("os"));
|
|
57
58
|
const path_1 = require("path");
|
|
@@ -85,43 +86,31 @@ const calculatePartialRanges = (size, range) => {
|
|
|
85
86
|
};
|
|
86
87
|
};
|
|
87
88
|
exports.calculatePartialRanges = calculatePartialRanges;
|
|
88
|
-
const
|
|
89
|
-
|
|
90
|
-
|
|
91
|
-
|
|
92
|
-
|
|
93
|
-
|
|
94
|
-
|
|
95
|
-
|
|
96
|
-
];
|
|
97
|
-
const recursiveIsValidSvgNode = (node) => {
|
|
98
|
-
if (typeof node === "string") {
|
|
99
|
-
// is plain text -> can't contain JS
|
|
100
|
-
return true;
|
|
89
|
+
const { window } = new jsdom_1.JSDOM("");
|
|
90
|
+
const DOMPurify = (0, dompurify_1.default)(window);
|
|
91
|
+
// `<use>` is forbidden by DOMPurify's svg profile because it can pull in external or
|
|
92
|
+
// attacker-controlled content (XSS/SSRF). Allow it only for same-document fragment references
|
|
93
|
+
// (e.g. href="#id"); any other reference is dropped, which makes the SVG fail validation below.
|
|
94
|
+
DOMPurify.addHook("uponSanitizeAttribute", (node, data) => {
|
|
95
|
+
if (node.nodeName.toLowerCase() !== "use") {
|
|
96
|
+
return;
|
|
101
97
|
}
|
|
102
|
-
|
|
103
|
-
|
|
104
|
-
const containsEventHandler = tagOrAttributeName.toLowerCase().startsWith("on"); // can execute JavaScript
|
|
105
|
-
const containsHref = // can execute JavaScript or link to malicious targets
|
|
106
|
-
["href", "xlink:href"].includes(tagOrAttributeName) &&
|
|
107
|
-
typeof value === "string" &&
|
|
108
|
-
(value.startsWith("http://") || value.startsWith("https://") || value.startsWith("javascript:"));
|
|
109
|
-
if (containsDisallowedTags || containsEventHandler || containsHref) {
|
|
110
|
-
return false;
|
|
111
|
-
}
|
|
112
|
-
// is node -> children can contain JS
|
|
113
|
-
const children = node[tagOrAttributeName];
|
|
114
|
-
const childrenAreValid = recursiveIsValidSvgNode(children);
|
|
115
|
-
if (!childrenAreValid) {
|
|
116
|
-
return false;
|
|
117
|
-
}
|
|
98
|
+
if ((data.attrName === "href" || data.attrName === "xlink:href") && !data.attrValue.startsWith("#")) {
|
|
99
|
+
data.keepAttr = false;
|
|
118
100
|
}
|
|
119
|
-
|
|
120
|
-
};
|
|
101
|
+
});
|
|
121
102
|
const isValidSvg = (svg) => {
|
|
122
|
-
|
|
123
|
-
|
|
124
|
-
|
|
103
|
+
// `role` and `<use>` aren't part of DOMPurify's svg profile, so they're allowed explicitly.
|
|
104
|
+
// `<use>` is additionally constrained to same-document references by the hook above.
|
|
105
|
+
DOMPurify.sanitize(svg, {
|
|
106
|
+
USE_PROFILES: { svg: true, svgFilters: true },
|
|
107
|
+
WHOLE_DOCUMENT: true,
|
|
108
|
+
ADD_TAGS: ["use"],
|
|
109
|
+
ADD_ATTR: ["role", "href", "xlink:href"],
|
|
110
|
+
});
|
|
111
|
+
// DOMPurify strips forbidden tags (e.g. <script>) and attributes (e.g. event handlers, javascript: URLs).
|
|
112
|
+
// If it had to remove anything, the SVG contained content we don't consider safe.
|
|
113
|
+
return DOMPurify.removed.length === 0;
|
|
125
114
|
};
|
|
126
115
|
exports.isValidSvg = isValidSvg;
|
|
127
116
|
const removeMulterTempFile = (file) => __awaiter(void 0, void 0, void 0, function* () {
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"files.utils.js","sourceRoot":"","sources":["../../src/file-utils/files.utils.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
|
|
1
|
+
{"version":3,"file":"files.utils.js","sourceRoot":"","sources":["../../src/file-utils/files.utils.ts"],"names":[],"mappings":";;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;AAkBA,0CAGC;AA8ED,oEA+BC;AAlID,0DAAwC;AACxC,0DAAiC;AACjC,4CAAoB;AACpB,0CAAqC;AACrC,iCAA8B;AAC9B,gDAAkC;AAClC,4CAAoB;AACpB,+BAAyC;AACzC,sDAA8B;AAC9B,oDAA4B;AAC5B,+BAAiC;AACjC,+BAAkC;AAGlC,uDAAsD;AAEtD,MAAM,QAAQ,GAAG,IAAA,gBAAS,EAAC,gBAAM,CAAC,QAAQ,CAAC,CAAC;AAE5C,SAAgB,eAAe,CAAC,QAAgB,EAAE,SAAiB;IAC/D,MAAM,gBAAgB,GAAG,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,CAAC,CAAC,CAAC,SAAS,CAAC,CAAC,CAAC,IAAI,SAAS,EAAE,CAAC;IACjF,OAAO,GAAG,IAAA,iBAAO,EAAC,QAAQ,CAAC,GAAG,gBAAgB,EAAE,CAAC;AACrD,CAAC;AAEM,MAAM,sBAAsB,GAAG,CAAC,IAAY,EAAE,KAAa,EAAyD,EAAE;IACzH,IAAI,CAAC,KAAK,EAAE,GAAG,CAAC,GAAG,KAAK,CAAC,OAAO,CAAC,QAAQ,EAAE,EAAE,CAAC,CAAC,KAAK,CAAC,GAAG,CAA2B,CAAC;IACpF,KAAK,GAAG,QAAQ,CAAC,KAAe,EAAE,EAAE,CAAC,CAAC;IACtC,GAAG,GAAG,GAAG,CAAC,CAAC,CAAC,QAAQ,CAAC,GAAa,EAAE,EAAE,CAAC,CAAC,CAAC,CAAC,IAAI,GAAG,CAAC,CAAC;IAEnD,IAAI,CAAC,KAAK,CAAC,KAAK,CAAC,IAAI,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9B,0CAA0C;QAC1C,KAAK,GAAG,KAAK,CAAC;QACd,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC;IACnB,CAAC;IACD,IAAI,KAAK,CAAC,KAAK,CAAC,IAAI,CAAC,KAAK,CAAC,GAAG,CAAC,EAAE,CAAC;QAC9B,KAAK,GAAG,IAAI,GAAG,GAAG,CAAC;QACnB,GAAG,GAAG,IAAI,GAAG,CAAC,CAAC;IACnB,CAAC;IAED,OAAO;QACH,KAAK;QACL,GAAG;QACH,aAAa,EAAE,GAAG,GAAG,KAAK,GAAG,CAAC;KACjC,CAAC;AACN,CAAC,CAAC;AApBW,QAAA,sBAAsB,0BAoBjC;AAEF,MAAM,EAAE,MAAM,EAAE,GAAG,IAAI,aAAK,CAAC,EAAE,CAAC,CAAC;AACjC,MAAM,SAAS,GAAG,IAAA,mBAAe,EAAC,MAAM,CAAC,CAAC;AAE1C,qFAAqF;AACrF,8FAA8F;AAC9F,gGAAgG;AAChG,SAAS,CAAC,OAAO,CAAC,uBAAuB,EAAE,CAAC,IAAI,EAAE,IAAI,EAAE,EAAE;IACtD,IAAK,IAAwC,CAAC,QAAQ,CAAC,WAAW,EAAE,KAAK,KAAK,EAAE,CAAC;QAC7E,OAAO;IACX,CAAC;IACD,IAAI,CAAC,IAAI,CAAC,QAAQ,KAAK,MAAM,IAAI,IAAI,CAAC,QAAQ,KAAK,YAAY,CAAC,IAAI,CAAC,IAAI,CAAC,SAAS,CAAC,UAAU,CAAC,GAAG,CAAC,EAAE,CAAC;QAClG,IAAI,CAAC,QAAQ,GAAG,KAAK,CAAC;IAC1B,CAAC;AACL,CAAC,CAAC,CAAC;AAEI,MAAM,UAAU,GAAG,CAAC,GAAW,EAAW,EAAE;IAC/C,4FAA4F;IAC5F,qFAAqF;IACrF,SAAS,CAAC,QAAQ,CAAC,GAAG,EAAE;QACpB,YAAY,EAAE,EAAE,GAAG,EAAE,IAAI,EAAE,UAAU,EAAE,IAAI,EAAE;QAC7C,cAAc,EAAE,IAAI;QACpB,QAAQ,EAAE,CAAC,KAAK,CAAC;QACjB,QAAQ,EAAE,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,CAAC;KAC3C,CAAC,CAAC;IAEH,0GAA0G;IAC1G,kFAAkF;IAClF,OAAO,SAAS,CAAC,OAAO,CAAC,MAAM,KAAK,CAAC,CAAC;AAC1C,CAAC,CAAC;AAbW,QAAA,UAAU,cAarB;AAEK,MAAM,oBAAoB,GAAG,CAAO,IAAqB,EAAE,EAAE;IAChE,0EAA0E;IAC1E,MAAM,IAAI,GAAG,IAAI,CAAC,IAAI,CAAC;IAEvB,OAAQ,IAAiC,CAAC,WAAW,CAAC;IACtD,OAAQ,IAAiC,CAAC,QAAQ,CAAC;IACnD,OAAQ,IAAiC,CAAC,IAAI,CAAC;IAE/C,MAAM,IAAA,iBAAM,EAAC,IAAI,CAAC,CAAC;AACvB,CAAC,CAAA,CAAC;AATW,QAAA,oBAAoB,wBAS/B;AAEK,MAAM,6BAA6B,GAAG,CAAC,QAAgB,EAAE,EAAE;;IAC9D,IAAI,mBAAkD,CAAC;IACvD,IAAI,QAAQ,KAAK,8BAA8B,EAAE,CAAC;QAC9C,iDAAiD;QACjD,mDAAmD;QACnD,mBAAmB,GAAG,CAAC,KAAK,CAAC,CAAC;IAClC,CAAC;SAAM,CAAC;QACJ,mBAAmB,GAAG,MAAA,MAAM,CAAC,QAAQ,CAAC,0CAAE,UAAU,CAAC;IACvD,CAAC;IAED,OAAO,mBAAmB,CAAC;AAC/B,CAAC,CAAC;AAXW,QAAA,6BAA6B,iCAWxC;AAEF,SAAsB,4BAA4B,CAAC,GAAW;;QAC1D,MAAM,OAAO,GAAG,YAAE,CAAC,WAAW,CAAC,GAAG,YAAE,CAAC,MAAM,EAAE,WAAW,CAAC,CAAC;QAC1D,MAAM,QAAQ,GAAG,IAAA,SAAI,GAAE,CAAC;QACxB,MAAM,QAAQ,GAAG,GAAG,OAAO,IAAI,QAAQ,EAAE,CAAC;QAE1C,IAAI,GAAG,CAAC,SAAS,CAAC,CAAC,EAAE,CAAC,CAAC,KAAK,MAAM,EAAE,CAAC;YACjC,MAAM,QAAQ,GAAG,MAAM,KAAK,CAAC,GAAG,CAAC,CAAC;YAClC,IAAI,CAAC,QAAQ,CAAC,EAAE,IAAI,CAAC,QAAQ,CAAC,IAAI,EAAE,CAAC;gBACjC,MAAM,IAAI,KAAK,CAAC,kCAAkC,GAAG,EAAE,CAAC,CAAC;YAC7D,CAAC;YACD,MAAM,UAAU,GAAG,YAAE,CAAC,iBAAiB,CAAC,QAAQ,CAAC,CAAC;YAClD,MAAM,QAAQ,CAAC,QAAQ,CAAC,IAAI,EAAE,UAAU,CAAC,CAAC;YAC1C,6EAA6E;QACjF,CAAC;aAAM,CAAC;YACJ,YAAE,CAAC,YAAY,CAAC,GAAG,EAAE,QAAQ,CAAC,CAAC;QACnC,CAAC;QAED,MAAM,QAAQ,GAAG,MAAM,mBAAQ,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC;QACnD,MAAM,KAAK,GAAG,YAAE,CAAC,QAAQ,CAAC,QAAQ,CAAC,CAAC,CAAC,sBAAsB;QAC3D,MAAM,wBAAwB,GAAG,IAAA,eAAQ,EAAC,GAAG,EAAE,IAAA,cAAO,EAAC,GAAG,CAAC,CAAC,CAAC;QAE7D,OAAO;YACH,SAAS,EAAE,mCAAiB;YAC5B,YAAY,EAAE,GAAG,wBAAwB,IAAI,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,GAAG,EAAE;YAC5D,QAAQ,EAAE,MAAM;YAChB,QAAQ,EAAE,QAAQ,aAAR,QAAQ,uBAAR,QAAQ,CAAE,IAAc;YAClC,IAAI,EAAE,KAAK,CAAC,IAAI;YAChB,WAAW,EAAE,OAAO;YACpB,QAAQ,EAAE,QAAQ;YAClB,IAAI,EAAE,QAAQ;SACjB,CAAC;IACN,CAAC;CAAA"}
|