@commercetools-frontend/application-config 27.5.1 → 27.5.3
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/commercetools-frontend-application-config.cjs.dev.js +91 -75
- package/dist/commercetools-frontend-application-config.cjs.prod.js +91 -75
- package/dist/commercetools-frontend-application-config.esm.js +49 -31
- package/dist/{formatters-5629a23b.esm.js → formatters-CR1HIN8T.esm.js} +2 -2
- package/dist/{formatters-4515015b.cjs.prod.js → formatters-CWjiv2VA.cjs.dev.js} +11 -11
- package/dist/{formatters-5a68b5ac.cjs.dev.js → formatters-CWjiv2VA.cjs.prod.js} +11 -11
- package/package.json +3 -3
- package/ssr/dist/commercetools-frontend-application-config-ssr.cjs.dev.js +1 -3
- package/ssr/dist/commercetools-frontend-application-config-ssr.cjs.prod.js +1 -3
- package/ssr/dist/commercetools-frontend-application-config-ssr.esm.js +1 -1
|
@@ -1,7 +1,5 @@
|
|
|
1
1
|
'use strict';
|
|
2
2
|
|
|
3
|
-
Object.defineProperty(exports, '__esModule', { value: true });
|
|
4
|
-
|
|
5
3
|
var _Object$keys = require('@babel/runtime-corejs3/core-js-stable/object/keys');
|
|
6
4
|
var _Object$getOwnPropertySymbols = require('@babel/runtime-corejs3/core-js-stable/object/get-own-property-symbols');
|
|
7
5
|
var _filterInstanceProperty = require('@babel/runtime-corejs3/core-js-stable/instance/filter');
|
|
@@ -37,7 +35,7 @@ var _JSON$stringify = require('@babel/runtime-corejs3/core-js-stable/json/string
|
|
|
37
35
|
var path$1 = require('path');
|
|
38
36
|
var _reduceInstanceProperty = require('@babel/runtime-corejs3/core-js-stable/instance/reduce');
|
|
39
37
|
var _bindInstanceProperty = require('@babel/runtime-corejs3/core-js-stable/instance/bind');
|
|
40
|
-
var formatters = require('./formatters-
|
|
38
|
+
var formatters = require('./formatters-CWjiv2VA.cjs.dev.js');
|
|
41
39
|
var _Set = require('@babel/runtime-corejs3/core-js-stable/set');
|
|
42
40
|
var _Array$isArray = require('@babel/runtime-corejs3/core-js-stable/array/is-array');
|
|
43
41
|
var Ajv = require('ajv');
|
|
@@ -48,7 +46,7 @@ var jsdom$1 = require('jsdom');
|
|
|
48
46
|
require('@babel/runtime-corejs3/core-js-stable/object/entries');
|
|
49
47
|
require('lodash/upperFirst');
|
|
50
48
|
|
|
51
|
-
function _interopDefault (e) { return e && e.__esModule ? e : {
|
|
49
|
+
function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
|
|
52
50
|
|
|
53
51
|
var _Object$keys__default = /*#__PURE__*/_interopDefault(_Object$keys);
|
|
54
52
|
var _Object$getOwnPropertySymbols__default = /*#__PURE__*/_interopDefault(_Object$getOwnPropertySymbols);
|
|
@@ -116,14 +114,14 @@ const LOADED_CONFIG_TYPES = {
|
|
|
116
114
|
CUSTOM_VIEW: 'custom-view'
|
|
117
115
|
};
|
|
118
116
|
|
|
119
|
-
function _callSuper(t, o, e) { return o = _getPrototypeOf(o), _possibleConstructorReturn(t, _isNativeReflectConstruct() ? _Reflect$construct__default
|
|
120
|
-
function _isNativeReflectConstruct() { try { var t = !Boolean.prototype.valueOf.call(_Reflect$construct__default
|
|
117
|
+
function _callSuper(t, o, e) { return o = _getPrototypeOf(o), _possibleConstructorReturn(t, _isNativeReflectConstruct() ? _Reflect$construct__default.default(o, e || [], _getPrototypeOf(t).constructor) : o.apply(t, e)); }
|
|
118
|
+
function _isNativeReflectConstruct() { try { var t = !Boolean.prototype.valueOf.call(_Reflect$construct__default.default(Boolean, [], function () {})); } catch (t) {} return (_isNativeReflectConstruct = function () { return !!t; })(); }
|
|
121
119
|
let MissingOrInvalidConfigError = /*#__PURE__*/function (_Error) {
|
|
122
120
|
function MissingOrInvalidConfigError(message) {
|
|
123
121
|
var _this;
|
|
124
122
|
_classCallCheck(this, MissingOrInvalidConfigError);
|
|
125
123
|
_this = _callSuper(this, MissingOrInvalidConfigError, [message]);
|
|
126
|
-
_Object$defineProperty__default
|
|
124
|
+
_Object$defineProperty__default.default(_this, 'name', {
|
|
127
125
|
value: 'MissingOrInvalidConfigError'
|
|
128
126
|
});
|
|
129
127
|
return _this;
|
|
@@ -138,7 +136,7 @@ let MissingOrInvalidConfigError = /*#__PURE__*/function (_Error) {
|
|
|
138
136
|
// Copied from @commitlint/load/src/utils/load-config.ts
|
|
139
137
|
const isDynamicAwaitSupported = () => {
|
|
140
138
|
var _context;
|
|
141
|
-
const _process$version$repl = _mapInstanceProperty__default
|
|
139
|
+
const _process$version$repl = _mapInstanceProperty__default.default(_context = process.version.replace('v', '').split('.')).call(_context, val => _parseInt__default.default(val)),
|
|
142
140
|
_process$version$repl2 = _slicedToArray(_process$version$repl, 2),
|
|
143
141
|
major = _process$version$repl2[0],
|
|
144
142
|
minor = _process$version$repl2[1];
|
|
@@ -148,9 +146,9 @@ const isDynamicAwaitSupported = () => {
|
|
|
148
146
|
// Is the given directory set up to use ESM (ECMAScript Modules)?
|
|
149
147
|
// Copied from @commitlint/load/src/utils/load-config.ts
|
|
150
148
|
const isEsmModule = async cwd => {
|
|
151
|
-
const packagePath = path__default
|
|
149
|
+
const packagePath = path__default.default.join(cwd, 'package.json');
|
|
152
150
|
try {
|
|
153
|
-
const packageJSON = await fs__default
|
|
151
|
+
const packageJSON = await fs__default.default.readFile(packagePath, {
|
|
154
152
|
encoding: 'utf-8'
|
|
155
153
|
});
|
|
156
154
|
return JSON.parse(packageJSON)?.type === 'module';
|
|
@@ -267,56 +265,74 @@ const substituteFilePathVariablePlaceholder = (valueOfPlaceholder, matchedString
|
|
|
267
265
|
const _valueOfPlaceholder$s5 = valueOfPlaceholder.split(':'),
|
|
268
266
|
_valueOfPlaceholder$s6 = _slicedToArray(_valueOfPlaceholder$s5, 2),
|
|
269
267
|
filePathOrModule = _valueOfPlaceholder$s6[1];
|
|
268
|
+
|
|
269
|
+
// Security check: Prevent path traversal attacks.
|
|
270
|
+
// Two strategies depending on whether the specifier is a bare module name
|
|
271
|
+
// (e.g. "@scope/pkg/file.svg") or a relative/absolute path (e.g. "./app.svg").
|
|
272
|
+
const isModuleName = !_startsWithInstanceProperty__default.default(filePathOrModule).call(filePathOrModule, '.') && !_startsWithInstanceProperty__default.default(filePathOrModule).call(filePathOrModule, '/');
|
|
273
|
+
if (isModuleName) {
|
|
274
|
+
// Bare module specifiers are resolved by require.resolve through
|
|
275
|
+
// node_modules, linked packages, or Yarn PnP — all legitimate locations
|
|
276
|
+
// that may be outside the workspace root (e.g. hoisted deps in CI).
|
|
277
|
+
// We skip the workspace root check for these, but we must block ".."
|
|
278
|
+
// segments in the specifier itself — those are the only way to make
|
|
279
|
+
// require.resolve escape module directories and reach arbitrary files
|
|
280
|
+
// (e.g. "some-pkg/../../../../etc/passwd" resolves through node_modules
|
|
281
|
+
// to /etc/passwd).
|
|
282
|
+
const normalizedSpecifier = path__default$1.default.posix.normalize(filePathOrModule);
|
|
283
|
+
if (_startsWithInstanceProperty__default.default(normalizedSpecifier).call(normalizedSpecifier, '..')) {
|
|
284
|
+
throw new Error(`Path traversal in module specifiers is not allowed: ${filePathOrModule}`);
|
|
285
|
+
}
|
|
286
|
+
}
|
|
270
287
|
const resolvedPath = require.resolve(filePathOrModule, {
|
|
271
288
|
paths: [loadingOptions.applicationPath]
|
|
272
289
|
});
|
|
290
|
+
const normalizedPath = path__default$1.default.normalize(resolvedPath);
|
|
291
|
+
if (!isModuleName) {
|
|
292
|
+
// For relative/absolute paths, verify the resolved path is within the
|
|
293
|
+
// workspace root. require.resolve() already provides some protection by
|
|
294
|
+
// only resolving from applicationPath, but we add an extra layer to
|
|
295
|
+
// prevent access to sensitive system files outside the workspace.
|
|
296
|
+
const applicationPath = path__default$1.default.normalize(loadingOptions.applicationPath);
|
|
273
297
|
|
|
274
|
-
|
|
275
|
-
|
|
276
|
-
|
|
277
|
-
|
|
278
|
-
|
|
279
|
-
|
|
280
|
-
|
|
281
|
-
|
|
282
|
-
|
|
283
|
-
|
|
284
|
-
|
|
285
|
-
|
|
286
|
-
|
|
287
|
-
|
|
288
|
-
const hasWorkspaceConfig = fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'pnpm-workspace.yaml')) || fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'lerna.json'));
|
|
289
|
-
if (hasPackageJson) {
|
|
290
|
-
workspaceRoot = currentPath;
|
|
291
|
-
if (hasWorkspaceConfig) {
|
|
292
|
-
// Found workspace root
|
|
293
|
-
break;
|
|
298
|
+
// Find workspace root by traversing up from applicationPath until we find
|
|
299
|
+
// package.json, pnpm-workspace.yaml, or reach root
|
|
300
|
+
let workspaceRoot = applicationPath;
|
|
301
|
+
let currentPath = applicationPath;
|
|
302
|
+
const rootPath = path__default$1.default.parse(currentPath).root;
|
|
303
|
+
while (currentPath !== rootPath) {
|
|
304
|
+
const hasPackageJson = fs__default$1.default.existsSync(path__default$1.default.join(currentPath, 'package.json'));
|
|
305
|
+
const hasWorkspaceConfig = fs__default$1.default.existsSync(path__default$1.default.join(currentPath, 'pnpm-workspace.yaml')) || fs__default$1.default.existsSync(path__default$1.default.join(currentPath, 'lerna.json'));
|
|
306
|
+
if (hasPackageJson) {
|
|
307
|
+
workspaceRoot = currentPath;
|
|
308
|
+
if (hasWorkspaceConfig) {
|
|
309
|
+
// Found workspace root
|
|
310
|
+
break;
|
|
311
|
+
}
|
|
294
312
|
}
|
|
313
|
+
currentPath = path__default$1.default.dirname(currentPath);
|
|
314
|
+
}
|
|
315
|
+
const relativePath = path__default$1.default.relative(workspaceRoot, normalizedPath);
|
|
316
|
+
// Use path.relative() to avoid string prefix vulnerabilities (e.g., "/app" vs "/app-evil")
|
|
317
|
+
const isSafePath = !_startsWithInstanceProperty__default.default(relativePath).call(relativePath, '..') && !path__default$1.default.isAbsolute(relativePath);
|
|
318
|
+
if (!isSafePath) {
|
|
319
|
+
throw new Error(`Access to files outside workspace directory is not allowed: ${filePathOrModule}`);
|
|
295
320
|
}
|
|
296
|
-
currentPath = path__default$1["default"].dirname(currentPath);
|
|
297
|
-
}
|
|
298
|
-
const relativePath = path__default$1["default"].relative(workspaceRoot, normalizedPath);
|
|
299
|
-
|
|
300
|
-
// Path is safe if it's within the workspace root.
|
|
301
|
-
// Use path.relative() to avoid string prefix vulnerabilities (e.g., "/app" vs "/app-evil")
|
|
302
|
-
const isSafePath = !_startsWithInstanceProperty__default["default"](relativePath).call(relativePath, '..') && !path__default$1["default"].isAbsolute(relativePath);
|
|
303
|
-
if (!isSafePath) {
|
|
304
|
-
throw new Error(`Access to files outside workspace directory is not allowed: ${filePathOrModule}`);
|
|
305
321
|
}
|
|
306
|
-
const content = fs__default$1
|
|
322
|
+
const content = fs__default$1.default.readFileSync(normalizedPath, {
|
|
307
323
|
encoding: 'utf-8'
|
|
308
324
|
});
|
|
309
325
|
return valueOfEnvConfig.replace(new RegExp(escapeRegExp(matchedString), 'g'), content);
|
|
310
326
|
};
|
|
311
|
-
const getValueOfPlaceholder = valueWithPlaceholder => valueWithPlaceholder.replace(variableSyntax, (_match, varName) => _trimInstanceProperty__default
|
|
327
|
+
const getValueOfPlaceholder = valueWithPlaceholder => valueWithPlaceholder.replace(variableSyntax, (_match, varName) => _trimInstanceProperty__default.default(varName).call(varName)).replace(/\s/g, '');
|
|
312
328
|
const substituteVariablePlaceholders = (config, loadingOptions) => {
|
|
313
|
-
const result = JSON.parse(_JSON$stringify__default
|
|
329
|
+
const result = JSON.parse(_JSON$stringify__default.default(config), (_key, value) => {
|
|
314
330
|
// Only strings are allowed
|
|
315
331
|
let substitutedValue = value;
|
|
316
332
|
if (hasVariablePlaceholder(substitutedValue)) {
|
|
317
333
|
const matchResult = substitutedValue.match(variableSyntax);
|
|
318
334
|
if (matchResult) {
|
|
319
|
-
_forEachInstanceProperty__default
|
|
335
|
+
_forEachInstanceProperty__default.default(matchResult).call(matchResult, matchedString => {
|
|
320
336
|
const valueOfPlaceholder = getValueOfPlaceholder(matchedString);
|
|
321
337
|
if (isEnvVariablePlaceholder(valueOfPlaceholder)) {
|
|
322
338
|
substitutedValue = substituteEnvVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
|
|
@@ -991,7 +1007,7 @@ var customViewSchemaJson = {
|
|
|
991
1007
|
]
|
|
992
1008
|
};
|
|
993
1009
|
|
|
994
|
-
const ajv = new Ajv__default
|
|
1010
|
+
const ajv = new Ajv__default.default({
|
|
995
1011
|
strict: true,
|
|
996
1012
|
useDefaults: true
|
|
997
1013
|
});
|
|
@@ -1001,7 +1017,7 @@ const printErrors = errors => {
|
|
|
1001
1017
|
if (!errors) {
|
|
1002
1018
|
return 'No errors';
|
|
1003
1019
|
}
|
|
1004
|
-
return _mapInstanceProperty__default
|
|
1020
|
+
return _mapInstanceProperty__default.default(errors).call(errors, error => {
|
|
1005
1021
|
const baseMessage = `${error.instancePath} ${error.message}`;
|
|
1006
1022
|
switch (error.keyword) {
|
|
1007
1023
|
case 'additionalProperties':
|
|
@@ -1020,7 +1036,7 @@ const validateConfig = (configType, config) => {
|
|
|
1020
1036
|
} else if (configType === LOADED_CONFIG_TYPES.CUSTOM_VIEW) {
|
|
1021
1037
|
validation = validateCustomViewConfig;
|
|
1022
1038
|
} else {
|
|
1023
|
-
throw new Error(`Invalid config type "${configType}", expected ${_Object$keys__default
|
|
1039
|
+
throw new Error(`Invalid config type "${configType}", expected ${_Object$keys__default.default(LOADED_CONFIG_TYPES).toString()}`);
|
|
1024
1040
|
}
|
|
1025
1041
|
const isValid = validation(config);
|
|
1026
1042
|
if (!isValid) {
|
|
@@ -1034,8 +1050,8 @@ const validateEntryPointUriPath = config => {
|
|
|
1034
1050
|
};
|
|
1035
1051
|
const validateSubmenuLinks = config => {
|
|
1036
1052
|
var _context;
|
|
1037
|
-
const uriPathSet = new _Set__default
|
|
1038
|
-
_forEachInstanceProperty__default
|
|
1053
|
+
const uriPathSet = new _Set__default.default();
|
|
1054
|
+
_forEachInstanceProperty__default.default(_context = config.submenuLinks).call(_context, _ref => {
|
|
1039
1055
|
let uriPath = _ref.uriPath;
|
|
1040
1056
|
if (uriPathSet.has(uriPath)) {
|
|
1041
1057
|
throw new Error('Duplicate URI path. Every submenu link must have a unique URI path value');
|
|
@@ -1045,12 +1061,12 @@ const validateSubmenuLinks = config => {
|
|
|
1045
1061
|
};
|
|
1046
1062
|
const validateAdditionalOAuthScopes = config => {
|
|
1047
1063
|
var _context2, _context3;
|
|
1048
|
-
const additionalPermissionNames = new _Set__default
|
|
1049
|
-
((_context2 = config.additionalOAuthScopes) == null ? void 0 : _bindInstanceProperty__default
|
|
1064
|
+
const additionalPermissionNames = new _Set__default.default();
|
|
1065
|
+
((_context2 = config.additionalOAuthScopes) == null ? void 0 : _bindInstanceProperty__default.default(_context3 = Function.call).call(_context3, _forEachInstanceProperty__default.default(_context2), _context2))?.(_ref2 => {
|
|
1050
1066
|
let name = _ref2.name,
|
|
1051
1067
|
view = _ref2.view,
|
|
1052
1068
|
manage = _ref2.manage;
|
|
1053
|
-
if ((_Array$isArray__default
|
|
1069
|
+
if ((_Array$isArray__default.default(view) && view.length === 0 || !view) && (_Array$isArray__default.default(manage) && manage.length === 0 || !manage)) {
|
|
1054
1070
|
throw new Error(`At least one OAuth Scope for permission group name "${name}" is required`);
|
|
1055
1071
|
} else if (additionalPermissionNames.has(name)) {
|
|
1056
1072
|
throw new Error(`Duplicate additional permission group name "${name}". Every additional permission must have a unique name`);
|
|
@@ -1062,8 +1078,8 @@ const validateAdditionalOAuthScopes = config => {
|
|
|
1062
1078
|
});
|
|
1063
1079
|
};
|
|
1064
1080
|
|
|
1065
|
-
function ownKeys$1(e, r) { var t = _Object$keys__default
|
|
1066
|
-
function _objectSpread$1(e) { for (var r = 1; r < arguments.length; r++) { var _context6, _context7; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty__default
|
|
1081
|
+
function ownKeys$1(e, r) { var t = _Object$keys__default.default(e); if (_Object$getOwnPropertySymbols__default.default) { var o = _Object$getOwnPropertySymbols__default.default(e); r && (o = _filterInstanceProperty__default.default(o).call(o, function (r) { return _Object$getOwnPropertyDescriptor__default.default(e, r).enumerable; })), t.push.apply(t, o); } return t; }
|
|
1082
|
+
function _objectSpread$1(e) { for (var r = 1; r < arguments.length; r++) { var _context6, _context7; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty__default.default(_context6 = ownKeys$1(Object(t), true)).call(_context6, function (r) { _defineProperty(e, r, t[r]); }) : _Object$getOwnPropertyDescriptors__default.default ? _Object$defineProperties__default.default(e, _Object$getOwnPropertyDescriptors__default.default(t)) : _forEachInstanceProperty__default.default(_context7 = ownKeys$1(Object(t))).call(_context7, function (r) { _Object$defineProperty__default.default(e, r, _Object$getOwnPropertyDescriptor__default.default(t, r)); }); } return e; }
|
|
1067
1083
|
|
|
1068
1084
|
// The `uriPath` of each submenu link is supposed to be defined relative
|
|
1069
1085
|
// to the `entryPointUriPath`. Computing the full path is done internally to keep
|
|
@@ -1075,13 +1091,13 @@ const computeUriPath = (uriPath, entryPointUriPath) => {
|
|
|
1075
1091
|
if (uriPath === '/') return entryPointUriPath;
|
|
1076
1092
|
// In case the `uriPath` is already configured including the `entryPointUriPath`,
|
|
1077
1093
|
// we return the `uriPath` as-is.
|
|
1078
|
-
if (_startsWithInstanceProperty__default
|
|
1094
|
+
if (_startsWithInstanceProperty__default.default(uriPath).call(uriPath, `${entryPointUriPath}/`)) return uriPath;
|
|
1079
1095
|
// Return the full path including the `entryPointUriPath` as a prefix.
|
|
1080
1096
|
return `${entryPointUriPath}/${uriPath}`;
|
|
1081
1097
|
};
|
|
1082
1098
|
const getPermissions = appConfig => {
|
|
1083
1099
|
var _context, _context2, _context3, _context4;
|
|
1084
|
-
const additionalResourceAccessKeyToOauthScopeMap = _reduceInstanceProperty__default
|
|
1100
|
+
const additionalResourceAccessKeyToOauthScopeMap = _reduceInstanceProperty__default.default(_context = appConfig.additionalOAuthScopes || []).call(_context, (previousOauthScope, _ref) => {
|
|
1085
1101
|
let name = _ref.name,
|
|
1086
1102
|
view = _ref.view,
|
|
1087
1103
|
manage = _ref.manage;
|
|
@@ -1091,7 +1107,7 @@ const getPermissions = appConfig => {
|
|
|
1091
1107
|
[`manage${formattedResourceKey}`]: manage
|
|
1092
1108
|
});
|
|
1093
1109
|
}, {});
|
|
1094
|
-
const additionalPermissionNames = ((_context2 = appConfig.additionalOAuthScopes) == null ? void 0 : _bindInstanceProperty__default
|
|
1110
|
+
const additionalPermissionNames = ((_context2 = appConfig.additionalOAuthScopes) == null ? void 0 : _bindInstanceProperty__default.default(_context3 = Function.call).call(_context3, _mapInstanceProperty__default.default(_context2), _context2))?.(_ref2 => {
|
|
1095
1111
|
let name = _ref2.name;
|
|
1096
1112
|
return name;
|
|
1097
1113
|
}) || [];
|
|
@@ -1100,7 +1116,7 @@ const getPermissions = appConfig => {
|
|
|
1100
1116
|
// configuration is for a custom view. In this case we use the
|
|
1101
1117
|
// default entry point uri path.
|
|
1102
1118
|
constants.CUSTOM_VIEW_HOST_ENTRY_POINT_URI_PATH, additionalPermissionNames);
|
|
1103
|
-
const additionalPermissions = _mapInstanceProperty__default
|
|
1119
|
+
const additionalPermissions = _mapInstanceProperty__default.default(_context4 = _Object$keys__default.default(additionalResourceAccessKeyToOauthScopeMap)).call(_context4, additionalResourceAccessKey => ({
|
|
1104
1120
|
name: permissionKeys[additionalResourceAccessKey],
|
|
1105
1121
|
oAuthScopes: additionalResourceAccessKeyToOauthScopeMap[additionalResourceAccessKey]
|
|
1106
1122
|
}));
|
|
@@ -1126,7 +1142,7 @@ function transformCustomApplicationConfigToData(appConfig) {
|
|
|
1126
1142
|
permissions: getPermissions(appConfig),
|
|
1127
1143
|
icon: appConfig.icon,
|
|
1128
1144
|
mainMenuLink: appConfig.mainMenuLink,
|
|
1129
|
-
submenuLinks: _mapInstanceProperty__default
|
|
1145
|
+
submenuLinks: _mapInstanceProperty__default.default(_context5 = appConfig.submenuLinks).call(_context5, submenuLink => _objectSpread$1(_objectSpread$1({}, submenuLink), {}, {
|
|
1130
1146
|
uriPath: computeUriPath(submenuLink.uriPath, appConfig.entryPointUriPath)
|
|
1131
1147
|
}))
|
|
1132
1148
|
};
|
|
@@ -1172,13 +1188,13 @@ const mapCloudIdentifierToApiUrl = key => {
|
|
|
1172
1188
|
default:
|
|
1173
1189
|
// We would probably never get to this point, as the JSON schema validation
|
|
1174
1190
|
// kicks in before.
|
|
1175
|
-
throw new Error(`Unknown cloud identifier "${key}". Supported values: ${_Object$values__default
|
|
1191
|
+
throw new Error(`Unknown cloud identifier "${key}". Supported values: ${_Object$values__default.default(CLOUD_IDENTIFIERS).toString()}`);
|
|
1176
1192
|
}
|
|
1177
1193
|
};
|
|
1178
1194
|
const getUniqueValues = function () {
|
|
1179
1195
|
let initialValues = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : [];
|
|
1180
1196
|
let additionalValues = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : [];
|
|
1181
|
-
return uniq__default
|
|
1197
|
+
return uniq__default.default([...initialValues, ...additionalValues]);
|
|
1182
1198
|
};
|
|
1183
1199
|
const nonProductionEnvironment = ['development', 'test'];
|
|
1184
1200
|
const getIsProd = env =>
|
|
@@ -1186,7 +1202,7 @@ const getIsProd = env =>
|
|
|
1186
1202
|
// a production environment unless it's one of `development` or `test`.
|
|
1187
1203
|
// This allows to use for example the `staging` value, which from the
|
|
1188
1204
|
// application perspective is still considered a production environment.
|
|
1189
|
-
env.MC_APP_ENV ? !_includesInstanceProperty__default
|
|
1205
|
+
env.MC_APP_ENV ? !_includesInstanceProperty__default.default(nonProductionEnvironment).call(nonProductionEnvironment, env.MC_APP_ENV) : env.NODE_ENV === 'production';
|
|
1190
1206
|
const getOrThrow = (fn, errorMessage) => {
|
|
1191
1207
|
try {
|
|
1192
1208
|
return fn();
|
|
@@ -1195,13 +1211,13 @@ const getOrThrow = (fn, errorMessage) => {
|
|
|
1195
1211
|
}
|
|
1196
1212
|
};
|
|
1197
1213
|
|
|
1198
|
-
function ownKeys(e, r) { var t = _Object$keys__default
|
|
1199
|
-
function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var _context2, _context3; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty__default
|
|
1214
|
+
function ownKeys(e, r) { var t = _Object$keys__default.default(e); if (_Object$getOwnPropertySymbols__default.default) { var o = _Object$getOwnPropertySymbols__default.default(e); r && (o = _filterInstanceProperty__default.default(o).call(o, function (r) { return _Object$getOwnPropertyDescriptor__default.default(e, r).enumerable; })), t.push.apply(t, o); } return t; }
|
|
1215
|
+
function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var _context2, _context3; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty__default.default(_context2 = ownKeys(Object(t), true)).call(_context2, function (r) { _defineProperty(e, r, t[r]); }) : _Object$getOwnPropertyDescriptors__default.default ? _Object$defineProperties__default.default(e, _Object$getOwnPropertyDescriptors__default.default(t)) : _forEachInstanceProperty__default.default(_context3 = ownKeys(Object(t))).call(_context3, function (r) { _Object$defineProperty__default.default(e, r, _Object$getOwnPropertyDescriptor__default.default(t, r)); }); } return e; }
|
|
1200
1216
|
// TODO: make it configurable.
|
|
1201
1217
|
const developmentPort = 3001;
|
|
1202
1218
|
const developmentAppUrl = `http://localhost:${developmentPort}`;
|
|
1203
1219
|
const getLoadedConfigurationType = configFileName => {
|
|
1204
|
-
if (_includesInstanceProperty__default
|
|
1220
|
+
if (_includesInstanceProperty__default.default(configFileName).call(configFileName, 'custom-view-config')) {
|
|
1205
1221
|
return LOADED_CONFIG_TYPES.CUSTOM_VIEW;
|
|
1206
1222
|
}
|
|
1207
1223
|
return LOADED_CONFIG_TYPES.CUSTOM_APPLICATION;
|
|
@@ -1223,7 +1239,7 @@ const getRuntimeEnvironmentConfigForDevelopment = _ref => {
|
|
|
1223
1239
|
if (isProd) {
|
|
1224
1240
|
return undefined;
|
|
1225
1241
|
}
|
|
1226
|
-
const oidcConfig = omitEmpty__default
|
|
1242
|
+
const oidcConfig = omitEmpty__default.default(_objectSpread(_objectSpread({
|
|
1227
1243
|
authorizeUrl: [
|
|
1228
1244
|
// In case the MC API url points to localhost, we need to point
|
|
1229
1245
|
// to a local running dev login page to handle the workflow properly.
|
|
@@ -1244,7 +1260,7 @@ const getRuntimeEnvironmentConfigForDevelopment = _ref => {
|
|
|
1244
1260
|
if (isCustomViewData(configurationData)) {
|
|
1245
1261
|
const hostUriPath = appConfig.env.development.hostUriPath;
|
|
1246
1262
|
const defaultHostUriPath = oidcConfig.initialProjectKey ? `/${oidcConfig.initialProjectKey}/${entryPointUriPath}` : `/${entryPointUriPath}`;
|
|
1247
|
-
const hostUrl = new _URL__default
|
|
1263
|
+
const hostUrl = new _URL__default.default(hostUriPath || defaultHostUriPath, developmentAppUrl);
|
|
1248
1264
|
return omitDevConfigIfEmpty({
|
|
1249
1265
|
oidc: oidcConfig,
|
|
1250
1266
|
customViewConfig: configurationData,
|
|
@@ -1291,7 +1307,7 @@ const getRuntimeEnvironmentConfig = _ref2 => {
|
|
|
1291
1307
|
appConfig,
|
|
1292
1308
|
entryPointUriPath
|
|
1293
1309
|
});
|
|
1294
|
-
return _objectSpread(_objectSpread(_objectSpread({}, omitEmpty__default
|
|
1310
|
+
return _objectSpread(_objectSpread(_objectSpread({}, omitEmpty__default.default(additionalAppEnv)), {}, {
|
|
1295
1311
|
cdnUrl: cdnUrl.href,
|
|
1296
1312
|
env: appEnvKey,
|
|
1297
1313
|
frontendHost: appUrl.host,
|
|
@@ -1322,7 +1338,7 @@ const processConfig = async function () {
|
|
|
1322
1338
|
_ref3$processEnv = _ref3.processEnv,
|
|
1323
1339
|
processEnv = _ref3$processEnv === void 0 ? process.env : _ref3$processEnv,
|
|
1324
1340
|
_ref3$applicationPath = _ref3.applicationPath,
|
|
1325
|
-
applicationPath = _ref3$applicationPath === void 0 ? fs__default$1
|
|
1341
|
+
applicationPath = _ref3$applicationPath === void 0 ? fs__default$1.default.realpathSync(process.cwd()) : _ref3$applicationPath;
|
|
1326
1342
|
if (cachedConfig && !disableCache) return cachedConfig;
|
|
1327
1343
|
const _await$loadConfig = await loadConfig(applicationPath),
|
|
1328
1344
|
filepath = _await$loadConfig.filepath,
|
|
@@ -1342,12 +1358,12 @@ const processConfig = async function () {
|
|
|
1342
1358
|
// Parse all the supported URLs, which gets implicitly validated
|
|
1343
1359
|
|
|
1344
1360
|
const envAppUrl = isProd ? configurationData.url : developmentAppUrl;
|
|
1345
|
-
const appUrl = getOrThrow(() => new _URL__default
|
|
1361
|
+
const appUrl = getOrThrow(() => new _URL__default.default(envAppUrl), `Invalid application URL: "${envAppUrl}"`);
|
|
1346
1362
|
|
|
1347
1363
|
// Use `||` instead of `??` to include empty string values.
|
|
1348
1364
|
const envCdnUrl = isProd ? appConfig.env.production.cdnUrl || appUrl.href : developmentAppUrl;
|
|
1349
|
-
const cdnUrl = getOrThrow(() => new _URL__default
|
|
1350
|
-
const mcApiUrl = getOrThrow(() => new _URL__default
|
|
1365
|
+
const cdnUrl = getOrThrow(() => new _URL__default.default(envCdnUrl), `Invalid application CDN URL: "${envCdnUrl}"`);
|
|
1366
|
+
const mcApiUrl = getOrThrow(() => new _URL__default.default(
|
|
1351
1367
|
// Use `||` instead of `??` to include empty string values.
|
|
1352
1368
|
appConfig.mcApiUrl || mapCloudIdentifierToApiUrl(appConfig.cloudIdentifier)), `Invalid MC API URL: "${appConfig.mcApiUrl}"`);
|
|
1353
1369
|
cachedConfig = {
|
|
@@ -1371,7 +1387,7 @@ const processConfig = async function () {
|
|
|
1371
1387
|
// the CSP point of view, it will say only the file `app` can be used as a source, so
|
|
1372
1388
|
// any other file from that domain will be forbidden. Using the slash (ex: https://www.my-domain.com/app/)
|
|
1373
1389
|
// at the end it's like using a wildcard so anything 'below' `app` will be allowed.
|
|
1374
|
-
'connect-src': getUniqueValues(appConfig.headers?.csp?.['connect-src'], _concatInstanceProperty__default
|
|
1390
|
+
'connect-src': getUniqueValues(appConfig.headers?.csp?.['connect-src'], _concatInstanceProperty__default.default(_context = [mcApiUrl.origin]).call(_context, isProd ? [`${trimTrailingSlash(appUrl.href)}/`, `${trimTrailingSlash(cdnUrl.href)}/`] : [])),
|
|
1375
1391
|
'script-src': getUniqueValues(appConfig.headers?.csp?.['script-src'], isProd ? [`${trimTrailingSlash(appUrl.href)}/`, `${trimTrailingSlash(cdnUrl.href)}/`] : []),
|
|
1376
1392
|
'style-src': getUniqueValues(appConfig.headers?.csp?.['style-src'], isProd ? [`${trimTrailingSlash(appUrl.href)}/`, `${trimTrailingSlash(cdnUrl.href)}/`] : [])
|
|
1377
1393
|
})
|
|
@@ -1381,7 +1397,7 @@ const processConfig = async function () {
|
|
|
1381
1397
|
};
|
|
1382
1398
|
|
|
1383
1399
|
const jsdom = new jsdom$1.JSDOM('');
|
|
1384
|
-
const DOMPurify = createDOMPurify__default
|
|
1400
|
+
const DOMPurify = createDOMPurify__default.default(jsdom.window);
|
|
1385
1401
|
function sanitizeSvg(data) {
|
|
1386
1402
|
return DOMPurify.sanitize(data, {
|
|
1387
1403
|
USE_PROFILES: {
|
|
@@ -1393,11 +1409,11 @@ function sanitizeSvg(data) {
|
|
|
1393
1409
|
});
|
|
1394
1410
|
}
|
|
1395
1411
|
|
|
1396
|
-
Object.defineProperty(exports,
|
|
1412
|
+
Object.defineProperty(exports, "ENTRY_POINT_URI_PATH_REGEX", {
|
|
1397
1413
|
enumerable: true,
|
|
1398
1414
|
get: function () { return constants.ENTRY_POINT_URI_PATH_REGEX; }
|
|
1399
1415
|
});
|
|
1400
|
-
Object.defineProperty(exports,
|
|
1416
|
+
Object.defineProperty(exports, "PERMISSION_GROUP_NAME_REGEX", {
|
|
1401
1417
|
enumerable: true,
|
|
1402
1418
|
get: function () { return constants.PERMISSION_GROUP_NAME_REGEX; }
|
|
1403
1419
|
});
|
|
@@ -1,7 +1,5 @@
|
|
|
1
1
|
'use strict';
|
|
2
2
|
|
|
3
|
-
Object.defineProperty(exports, '__esModule', { value: true });
|
|
4
|
-
|
|
5
3
|
var _Object$keys = require('@babel/runtime-corejs3/core-js-stable/object/keys');
|
|
6
4
|
var _Object$getOwnPropertySymbols = require('@babel/runtime-corejs3/core-js-stable/object/get-own-property-symbols');
|
|
7
5
|
var _filterInstanceProperty = require('@babel/runtime-corejs3/core-js-stable/instance/filter');
|
|
@@ -37,7 +35,7 @@ var _JSON$stringify = require('@babel/runtime-corejs3/core-js-stable/json/string
|
|
|
37
35
|
var path$1 = require('path');
|
|
38
36
|
var _reduceInstanceProperty = require('@babel/runtime-corejs3/core-js-stable/instance/reduce');
|
|
39
37
|
var _bindInstanceProperty = require('@babel/runtime-corejs3/core-js-stable/instance/bind');
|
|
40
|
-
var formatters = require('./formatters-
|
|
38
|
+
var formatters = require('./formatters-CWjiv2VA.cjs.prod.js');
|
|
41
39
|
var _Set = require('@babel/runtime-corejs3/core-js-stable/set');
|
|
42
40
|
var _Array$isArray = require('@babel/runtime-corejs3/core-js-stable/array/is-array');
|
|
43
41
|
var Ajv = require('ajv');
|
|
@@ -48,7 +46,7 @@ var jsdom$1 = require('jsdom');
|
|
|
48
46
|
require('@babel/runtime-corejs3/core-js-stable/object/entries');
|
|
49
47
|
require('lodash/upperFirst');
|
|
50
48
|
|
|
51
|
-
function _interopDefault (e) { return e && e.__esModule ? e : {
|
|
49
|
+
function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
|
|
52
50
|
|
|
53
51
|
var _Object$keys__default = /*#__PURE__*/_interopDefault(_Object$keys);
|
|
54
52
|
var _Object$getOwnPropertySymbols__default = /*#__PURE__*/_interopDefault(_Object$getOwnPropertySymbols);
|
|
@@ -116,14 +114,14 @@ const LOADED_CONFIG_TYPES = {
|
|
|
116
114
|
CUSTOM_VIEW: 'custom-view'
|
|
117
115
|
};
|
|
118
116
|
|
|
119
|
-
function _callSuper(t, o, e) { return o = _getPrototypeOf(o), _possibleConstructorReturn(t, _isNativeReflectConstruct() ? _Reflect$construct__default
|
|
120
|
-
function _isNativeReflectConstruct() { try { var t = !Boolean.prototype.valueOf.call(_Reflect$construct__default
|
|
117
|
+
function _callSuper(t, o, e) { return o = _getPrototypeOf(o), _possibleConstructorReturn(t, _isNativeReflectConstruct() ? _Reflect$construct__default.default(o, e || [], _getPrototypeOf(t).constructor) : o.apply(t, e)); }
|
|
118
|
+
function _isNativeReflectConstruct() { try { var t = !Boolean.prototype.valueOf.call(_Reflect$construct__default.default(Boolean, [], function () {})); } catch (t) {} return (_isNativeReflectConstruct = function () { return !!t; })(); }
|
|
121
119
|
let MissingOrInvalidConfigError = /*#__PURE__*/function (_Error) {
|
|
122
120
|
function MissingOrInvalidConfigError(message) {
|
|
123
121
|
var _this;
|
|
124
122
|
_classCallCheck(this, MissingOrInvalidConfigError);
|
|
125
123
|
_this = _callSuper(this, MissingOrInvalidConfigError, [message]);
|
|
126
|
-
_Object$defineProperty__default
|
|
124
|
+
_Object$defineProperty__default.default(_this, 'name', {
|
|
127
125
|
value: 'MissingOrInvalidConfigError'
|
|
128
126
|
});
|
|
129
127
|
return _this;
|
|
@@ -138,7 +136,7 @@ let MissingOrInvalidConfigError = /*#__PURE__*/function (_Error) {
|
|
|
138
136
|
// Copied from @commitlint/load/src/utils/load-config.ts
|
|
139
137
|
const isDynamicAwaitSupported = () => {
|
|
140
138
|
var _context;
|
|
141
|
-
const _process$version$repl = _mapInstanceProperty__default
|
|
139
|
+
const _process$version$repl = _mapInstanceProperty__default.default(_context = process.version.replace('v', '').split('.')).call(_context, val => _parseInt__default.default(val)),
|
|
142
140
|
_process$version$repl2 = _slicedToArray(_process$version$repl, 2),
|
|
143
141
|
major = _process$version$repl2[0],
|
|
144
142
|
minor = _process$version$repl2[1];
|
|
@@ -148,9 +146,9 @@ const isDynamicAwaitSupported = () => {
|
|
|
148
146
|
// Is the given directory set up to use ESM (ECMAScript Modules)?
|
|
149
147
|
// Copied from @commitlint/load/src/utils/load-config.ts
|
|
150
148
|
const isEsmModule = async cwd => {
|
|
151
|
-
const packagePath = path__default
|
|
149
|
+
const packagePath = path__default.default.join(cwd, 'package.json');
|
|
152
150
|
try {
|
|
153
|
-
const packageJSON = await fs__default
|
|
151
|
+
const packageJSON = await fs__default.default.readFile(packagePath, {
|
|
154
152
|
encoding: 'utf-8'
|
|
155
153
|
});
|
|
156
154
|
return JSON.parse(packageJSON)?.type === 'module';
|
|
@@ -267,56 +265,74 @@ const substituteFilePathVariablePlaceholder = (valueOfPlaceholder, matchedString
|
|
|
267
265
|
const _valueOfPlaceholder$s5 = valueOfPlaceholder.split(':'),
|
|
268
266
|
_valueOfPlaceholder$s6 = _slicedToArray(_valueOfPlaceholder$s5, 2),
|
|
269
267
|
filePathOrModule = _valueOfPlaceholder$s6[1];
|
|
268
|
+
|
|
269
|
+
// Security check: Prevent path traversal attacks.
|
|
270
|
+
// Two strategies depending on whether the specifier is a bare module name
|
|
271
|
+
// (e.g. "@scope/pkg/file.svg") or a relative/absolute path (e.g. "./app.svg").
|
|
272
|
+
const isModuleName = !_startsWithInstanceProperty__default.default(filePathOrModule).call(filePathOrModule, '.') && !_startsWithInstanceProperty__default.default(filePathOrModule).call(filePathOrModule, '/');
|
|
273
|
+
if (isModuleName) {
|
|
274
|
+
// Bare module specifiers are resolved by require.resolve through
|
|
275
|
+
// node_modules, linked packages, or Yarn PnP — all legitimate locations
|
|
276
|
+
// that may be outside the workspace root (e.g. hoisted deps in CI).
|
|
277
|
+
// We skip the workspace root check for these, but we must block ".."
|
|
278
|
+
// segments in the specifier itself — those are the only way to make
|
|
279
|
+
// require.resolve escape module directories and reach arbitrary files
|
|
280
|
+
// (e.g. "some-pkg/../../../../etc/passwd" resolves through node_modules
|
|
281
|
+
// to /etc/passwd).
|
|
282
|
+
const normalizedSpecifier = path__default$1.default.posix.normalize(filePathOrModule);
|
|
283
|
+
if (_startsWithInstanceProperty__default.default(normalizedSpecifier).call(normalizedSpecifier, '..')) {
|
|
284
|
+
throw new Error(`Path traversal in module specifiers is not allowed: ${filePathOrModule}`);
|
|
285
|
+
}
|
|
286
|
+
}
|
|
270
287
|
const resolvedPath = require.resolve(filePathOrModule, {
|
|
271
288
|
paths: [loadingOptions.applicationPath]
|
|
272
289
|
});
|
|
290
|
+
const normalizedPath = path__default$1.default.normalize(resolvedPath);
|
|
291
|
+
if (!isModuleName) {
|
|
292
|
+
// For relative/absolute paths, verify the resolved path is within the
|
|
293
|
+
// workspace root. require.resolve() already provides some protection by
|
|
294
|
+
// only resolving from applicationPath, but we add an extra layer to
|
|
295
|
+
// prevent access to sensitive system files outside the workspace.
|
|
296
|
+
const applicationPath = path__default$1.default.normalize(loadingOptions.applicationPath);
|
|
273
297
|
|
|
274
|
-
|
|
275
|
-
|
|
276
|
-
|
|
277
|
-
|
|
278
|
-
|
|
279
|
-
|
|
280
|
-
|
|
281
|
-
|
|
282
|
-
|
|
283
|
-
|
|
284
|
-
|
|
285
|
-
|
|
286
|
-
|
|
287
|
-
|
|
288
|
-
const hasWorkspaceConfig = fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'pnpm-workspace.yaml')) || fs__default$1["default"].existsSync(path__default$1["default"].join(currentPath, 'lerna.json'));
|
|
289
|
-
if (hasPackageJson) {
|
|
290
|
-
workspaceRoot = currentPath;
|
|
291
|
-
if (hasWorkspaceConfig) {
|
|
292
|
-
// Found workspace root
|
|
293
|
-
break;
|
|
298
|
+
// Find workspace root by traversing up from applicationPath until we find
|
|
299
|
+
// package.json, pnpm-workspace.yaml, or reach root
|
|
300
|
+
let workspaceRoot = applicationPath;
|
|
301
|
+
let currentPath = applicationPath;
|
|
302
|
+
const rootPath = path__default$1.default.parse(currentPath).root;
|
|
303
|
+
while (currentPath !== rootPath) {
|
|
304
|
+
const hasPackageJson = fs__default$1.default.existsSync(path__default$1.default.join(currentPath, 'package.json'));
|
|
305
|
+
const hasWorkspaceConfig = fs__default$1.default.existsSync(path__default$1.default.join(currentPath, 'pnpm-workspace.yaml')) || fs__default$1.default.existsSync(path__default$1.default.join(currentPath, 'lerna.json'));
|
|
306
|
+
if (hasPackageJson) {
|
|
307
|
+
workspaceRoot = currentPath;
|
|
308
|
+
if (hasWorkspaceConfig) {
|
|
309
|
+
// Found workspace root
|
|
310
|
+
break;
|
|
311
|
+
}
|
|
294
312
|
}
|
|
313
|
+
currentPath = path__default$1.default.dirname(currentPath);
|
|
314
|
+
}
|
|
315
|
+
const relativePath = path__default$1.default.relative(workspaceRoot, normalizedPath);
|
|
316
|
+
// Use path.relative() to avoid string prefix vulnerabilities (e.g., "/app" vs "/app-evil")
|
|
317
|
+
const isSafePath = !_startsWithInstanceProperty__default.default(relativePath).call(relativePath, '..') && !path__default$1.default.isAbsolute(relativePath);
|
|
318
|
+
if (!isSafePath) {
|
|
319
|
+
throw new Error(`Access to files outside workspace directory is not allowed: ${filePathOrModule}`);
|
|
295
320
|
}
|
|
296
|
-
currentPath = path__default$1["default"].dirname(currentPath);
|
|
297
|
-
}
|
|
298
|
-
const relativePath = path__default$1["default"].relative(workspaceRoot, normalizedPath);
|
|
299
|
-
|
|
300
|
-
// Path is safe if it's within the workspace root.
|
|
301
|
-
// Use path.relative() to avoid string prefix vulnerabilities (e.g., "/app" vs "/app-evil")
|
|
302
|
-
const isSafePath = !_startsWithInstanceProperty__default["default"](relativePath).call(relativePath, '..') && !path__default$1["default"].isAbsolute(relativePath);
|
|
303
|
-
if (!isSafePath) {
|
|
304
|
-
throw new Error(`Access to files outside workspace directory is not allowed: ${filePathOrModule}`);
|
|
305
321
|
}
|
|
306
|
-
const content = fs__default$1
|
|
322
|
+
const content = fs__default$1.default.readFileSync(normalizedPath, {
|
|
307
323
|
encoding: 'utf-8'
|
|
308
324
|
});
|
|
309
325
|
return valueOfEnvConfig.replace(new RegExp(escapeRegExp(matchedString), 'g'), content);
|
|
310
326
|
};
|
|
311
|
-
const getValueOfPlaceholder = valueWithPlaceholder => valueWithPlaceholder.replace(variableSyntax, (_match, varName) => _trimInstanceProperty__default
|
|
327
|
+
const getValueOfPlaceholder = valueWithPlaceholder => valueWithPlaceholder.replace(variableSyntax, (_match, varName) => _trimInstanceProperty__default.default(varName).call(varName)).replace(/\s/g, '');
|
|
312
328
|
const substituteVariablePlaceholders = (config, loadingOptions) => {
|
|
313
|
-
const result = JSON.parse(_JSON$stringify__default
|
|
329
|
+
const result = JSON.parse(_JSON$stringify__default.default(config), (_key, value) => {
|
|
314
330
|
// Only strings are allowed
|
|
315
331
|
let substitutedValue = value;
|
|
316
332
|
if (hasVariablePlaceholder(substitutedValue)) {
|
|
317
333
|
const matchResult = substitutedValue.match(variableSyntax);
|
|
318
334
|
if (matchResult) {
|
|
319
|
-
_forEachInstanceProperty__default
|
|
335
|
+
_forEachInstanceProperty__default.default(matchResult).call(matchResult, matchedString => {
|
|
320
336
|
const valueOfPlaceholder = getValueOfPlaceholder(matchedString);
|
|
321
337
|
if (isEnvVariablePlaceholder(valueOfPlaceholder)) {
|
|
322
338
|
substitutedValue = substituteEnvVariablePlaceholder(valueOfPlaceholder, matchedString, substitutedValue, loadingOptions);
|
|
@@ -991,7 +1007,7 @@ var customViewSchemaJson = {
|
|
|
991
1007
|
]
|
|
992
1008
|
};
|
|
993
1009
|
|
|
994
|
-
const ajv = new Ajv__default
|
|
1010
|
+
const ajv = new Ajv__default.default({
|
|
995
1011
|
strict: true,
|
|
996
1012
|
useDefaults: true
|
|
997
1013
|
});
|
|
@@ -1001,7 +1017,7 @@ const printErrors = errors => {
|
|
|
1001
1017
|
if (!errors) {
|
|
1002
1018
|
return 'No errors';
|
|
1003
1019
|
}
|
|
1004
|
-
return _mapInstanceProperty__default
|
|
1020
|
+
return _mapInstanceProperty__default.default(errors).call(errors, error => {
|
|
1005
1021
|
const baseMessage = `${error.instancePath} ${error.message}`;
|
|
1006
1022
|
switch (error.keyword) {
|
|
1007
1023
|
case 'additionalProperties':
|
|
@@ -1020,7 +1036,7 @@ const validateConfig = (configType, config) => {
|
|
|
1020
1036
|
} else if (configType === LOADED_CONFIG_TYPES.CUSTOM_VIEW) {
|
|
1021
1037
|
validation = validateCustomViewConfig;
|
|
1022
1038
|
} else {
|
|
1023
|
-
throw new Error(`Invalid config type "${configType}", expected ${_Object$keys__default
|
|
1039
|
+
throw new Error(`Invalid config type "${configType}", expected ${_Object$keys__default.default(LOADED_CONFIG_TYPES).toString()}`);
|
|
1024
1040
|
}
|
|
1025
1041
|
const isValid = validation(config);
|
|
1026
1042
|
if (!isValid) {
|
|
@@ -1034,8 +1050,8 @@ const validateEntryPointUriPath = config => {
|
|
|
1034
1050
|
};
|
|
1035
1051
|
const validateSubmenuLinks = config => {
|
|
1036
1052
|
var _context;
|
|
1037
|
-
const uriPathSet = new _Set__default
|
|
1038
|
-
_forEachInstanceProperty__default
|
|
1053
|
+
const uriPathSet = new _Set__default.default();
|
|
1054
|
+
_forEachInstanceProperty__default.default(_context = config.submenuLinks).call(_context, _ref => {
|
|
1039
1055
|
let uriPath = _ref.uriPath;
|
|
1040
1056
|
if (uriPathSet.has(uriPath)) {
|
|
1041
1057
|
throw new Error('Duplicate URI path. Every submenu link must have a unique URI path value');
|
|
@@ -1045,12 +1061,12 @@ const validateSubmenuLinks = config => {
|
|
|
1045
1061
|
};
|
|
1046
1062
|
const validateAdditionalOAuthScopes = config => {
|
|
1047
1063
|
var _context2, _context3;
|
|
1048
|
-
const additionalPermissionNames = new _Set__default
|
|
1049
|
-
((_context2 = config.additionalOAuthScopes) == null ? void 0 : _bindInstanceProperty__default
|
|
1064
|
+
const additionalPermissionNames = new _Set__default.default();
|
|
1065
|
+
((_context2 = config.additionalOAuthScopes) == null ? void 0 : _bindInstanceProperty__default.default(_context3 = Function.call).call(_context3, _forEachInstanceProperty__default.default(_context2), _context2))?.(_ref2 => {
|
|
1050
1066
|
let name = _ref2.name,
|
|
1051
1067
|
view = _ref2.view,
|
|
1052
1068
|
manage = _ref2.manage;
|
|
1053
|
-
if ((_Array$isArray__default
|
|
1069
|
+
if ((_Array$isArray__default.default(view) && view.length === 0 || !view) && (_Array$isArray__default.default(manage) && manage.length === 0 || !manage)) {
|
|
1054
1070
|
throw new Error(`At least one OAuth Scope for permission group name "${name}" is required`);
|
|
1055
1071
|
} else if (additionalPermissionNames.has(name)) {
|
|
1056
1072
|
throw new Error(`Duplicate additional permission group name "${name}". Every additional permission must have a unique name`);
|
|
@@ -1062,8 +1078,8 @@ const validateAdditionalOAuthScopes = config => {
|
|
|
1062
1078
|
});
|
|
1063
1079
|
};
|
|
1064
1080
|
|
|
1065
|
-
function ownKeys$1(e, r) { var t = _Object$keys__default
|
|
1066
|
-
function _objectSpread$1(e) { for (var r = 1; r < arguments.length; r++) { var _context6, _context7; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty__default
|
|
1081
|
+
function ownKeys$1(e, r) { var t = _Object$keys__default.default(e); if (_Object$getOwnPropertySymbols__default.default) { var o = _Object$getOwnPropertySymbols__default.default(e); r && (o = _filterInstanceProperty__default.default(o).call(o, function (r) { return _Object$getOwnPropertyDescriptor__default.default(e, r).enumerable; })), t.push.apply(t, o); } return t; }
|
|
1082
|
+
function _objectSpread$1(e) { for (var r = 1; r < arguments.length; r++) { var _context6, _context7; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty__default.default(_context6 = ownKeys$1(Object(t), true)).call(_context6, function (r) { _defineProperty(e, r, t[r]); }) : _Object$getOwnPropertyDescriptors__default.default ? _Object$defineProperties__default.default(e, _Object$getOwnPropertyDescriptors__default.default(t)) : _forEachInstanceProperty__default.default(_context7 = ownKeys$1(Object(t))).call(_context7, function (r) { _Object$defineProperty__default.default(e, r, _Object$getOwnPropertyDescriptor__default.default(t, r)); }); } return e; }
|
|
1067
1083
|
|
|
1068
1084
|
// The `uriPath` of each submenu link is supposed to be defined relative
|
|
1069
1085
|
// to the `entryPointUriPath`. Computing the full path is done internally to keep
|
|
@@ -1075,13 +1091,13 @@ const computeUriPath = (uriPath, entryPointUriPath) => {
|
|
|
1075
1091
|
if (uriPath === '/') return entryPointUriPath;
|
|
1076
1092
|
// In case the `uriPath` is already configured including the `entryPointUriPath`,
|
|
1077
1093
|
// we return the `uriPath` as-is.
|
|
1078
|
-
if (_startsWithInstanceProperty__default
|
|
1094
|
+
if (_startsWithInstanceProperty__default.default(uriPath).call(uriPath, `${entryPointUriPath}/`)) return uriPath;
|
|
1079
1095
|
// Return the full path including the `entryPointUriPath` as a prefix.
|
|
1080
1096
|
return `${entryPointUriPath}/${uriPath}`;
|
|
1081
1097
|
};
|
|
1082
1098
|
const getPermissions = appConfig => {
|
|
1083
1099
|
var _context, _context2, _context3, _context4;
|
|
1084
|
-
const additionalResourceAccessKeyToOauthScopeMap = _reduceInstanceProperty__default
|
|
1100
|
+
const additionalResourceAccessKeyToOauthScopeMap = _reduceInstanceProperty__default.default(_context = appConfig.additionalOAuthScopes || []).call(_context, (previousOauthScope, _ref) => {
|
|
1085
1101
|
let name = _ref.name,
|
|
1086
1102
|
view = _ref.view,
|
|
1087
1103
|
manage = _ref.manage;
|
|
@@ -1091,7 +1107,7 @@ const getPermissions = appConfig => {
|
|
|
1091
1107
|
[`manage${formattedResourceKey}`]: manage
|
|
1092
1108
|
});
|
|
1093
1109
|
}, {});
|
|
1094
|
-
const additionalPermissionNames = ((_context2 = appConfig.additionalOAuthScopes) == null ? void 0 : _bindInstanceProperty__default
|
|
1110
|
+
const additionalPermissionNames = ((_context2 = appConfig.additionalOAuthScopes) == null ? void 0 : _bindInstanceProperty__default.default(_context3 = Function.call).call(_context3, _mapInstanceProperty__default.default(_context2), _context2))?.(_ref2 => {
|
|
1095
1111
|
let name = _ref2.name;
|
|
1096
1112
|
return name;
|
|
1097
1113
|
}) || [];
|
|
@@ -1100,7 +1116,7 @@ const getPermissions = appConfig => {
|
|
|
1100
1116
|
// configuration is for a custom view. In this case we use the
|
|
1101
1117
|
// default entry point uri path.
|
|
1102
1118
|
constants.CUSTOM_VIEW_HOST_ENTRY_POINT_URI_PATH, additionalPermissionNames);
|
|
1103
|
-
const additionalPermissions = _mapInstanceProperty__default
|
|
1119
|
+
const additionalPermissions = _mapInstanceProperty__default.default(_context4 = _Object$keys__default.default(additionalResourceAccessKeyToOauthScopeMap)).call(_context4, additionalResourceAccessKey => ({
|
|
1104
1120
|
name: permissionKeys[additionalResourceAccessKey],
|
|
1105
1121
|
oAuthScopes: additionalResourceAccessKeyToOauthScopeMap[additionalResourceAccessKey]
|
|
1106
1122
|
}));
|
|
@@ -1126,7 +1142,7 @@ function transformCustomApplicationConfigToData(appConfig) {
|
|
|
1126
1142
|
permissions: getPermissions(appConfig),
|
|
1127
1143
|
icon: appConfig.icon,
|
|
1128
1144
|
mainMenuLink: appConfig.mainMenuLink,
|
|
1129
|
-
submenuLinks: _mapInstanceProperty__default
|
|
1145
|
+
submenuLinks: _mapInstanceProperty__default.default(_context5 = appConfig.submenuLinks).call(_context5, submenuLink => _objectSpread$1(_objectSpread$1({}, submenuLink), {}, {
|
|
1130
1146
|
uriPath: computeUriPath(submenuLink.uriPath, appConfig.entryPointUriPath)
|
|
1131
1147
|
}))
|
|
1132
1148
|
};
|
|
@@ -1172,13 +1188,13 @@ const mapCloudIdentifierToApiUrl = key => {
|
|
|
1172
1188
|
default:
|
|
1173
1189
|
// We would probably never get to this point, as the JSON schema validation
|
|
1174
1190
|
// kicks in before.
|
|
1175
|
-
throw new Error(`Unknown cloud identifier "${key}". Supported values: ${_Object$values__default
|
|
1191
|
+
throw new Error(`Unknown cloud identifier "${key}". Supported values: ${_Object$values__default.default(CLOUD_IDENTIFIERS).toString()}`);
|
|
1176
1192
|
}
|
|
1177
1193
|
};
|
|
1178
1194
|
const getUniqueValues = function () {
|
|
1179
1195
|
let initialValues = arguments.length > 0 && arguments[0] !== undefined ? arguments[0] : [];
|
|
1180
1196
|
let additionalValues = arguments.length > 1 && arguments[1] !== undefined ? arguments[1] : [];
|
|
1181
|
-
return uniq__default
|
|
1197
|
+
return uniq__default.default([...initialValues, ...additionalValues]);
|
|
1182
1198
|
};
|
|
1183
1199
|
const nonProductionEnvironment = ['development', 'test'];
|
|
1184
1200
|
const getIsProd = env =>
|
|
@@ -1186,7 +1202,7 @@ const getIsProd = env =>
|
|
|
1186
1202
|
// a production environment unless it's one of `development` or `test`.
|
|
1187
1203
|
// This allows to use for example the `staging` value, which from the
|
|
1188
1204
|
// application perspective is still considered a production environment.
|
|
1189
|
-
env.MC_APP_ENV ? !_includesInstanceProperty__default
|
|
1205
|
+
env.MC_APP_ENV ? !_includesInstanceProperty__default.default(nonProductionEnvironment).call(nonProductionEnvironment, env.MC_APP_ENV) : env.NODE_ENV === 'production';
|
|
1190
1206
|
const getOrThrow = (fn, errorMessage) => {
|
|
1191
1207
|
try {
|
|
1192
1208
|
return fn();
|
|
@@ -1195,13 +1211,13 @@ const getOrThrow = (fn, errorMessage) => {
|
|
|
1195
1211
|
}
|
|
1196
1212
|
};
|
|
1197
1213
|
|
|
1198
|
-
function ownKeys(e, r) { var t = _Object$keys__default
|
|
1199
|
-
function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var _context2, _context3; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty__default
|
|
1214
|
+
function ownKeys(e, r) { var t = _Object$keys__default.default(e); if (_Object$getOwnPropertySymbols__default.default) { var o = _Object$getOwnPropertySymbols__default.default(e); r && (o = _filterInstanceProperty__default.default(o).call(o, function (r) { return _Object$getOwnPropertyDescriptor__default.default(e, r).enumerable; })), t.push.apply(t, o); } return t; }
|
|
1215
|
+
function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var _context2, _context3; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty__default.default(_context2 = ownKeys(Object(t), true)).call(_context2, function (r) { _defineProperty(e, r, t[r]); }) : _Object$getOwnPropertyDescriptors__default.default ? _Object$defineProperties__default.default(e, _Object$getOwnPropertyDescriptors__default.default(t)) : _forEachInstanceProperty__default.default(_context3 = ownKeys(Object(t))).call(_context3, function (r) { _Object$defineProperty__default.default(e, r, _Object$getOwnPropertyDescriptor__default.default(t, r)); }); } return e; }
|
|
1200
1216
|
// TODO: make it configurable.
|
|
1201
1217
|
const developmentPort = 3001;
|
|
1202
1218
|
const developmentAppUrl = `http://localhost:${developmentPort}`;
|
|
1203
1219
|
const getLoadedConfigurationType = configFileName => {
|
|
1204
|
-
if (_includesInstanceProperty__default
|
|
1220
|
+
if (_includesInstanceProperty__default.default(configFileName).call(configFileName, 'custom-view-config')) {
|
|
1205
1221
|
return LOADED_CONFIG_TYPES.CUSTOM_VIEW;
|
|
1206
1222
|
}
|
|
1207
1223
|
return LOADED_CONFIG_TYPES.CUSTOM_APPLICATION;
|
|
@@ -1223,7 +1239,7 @@ const getRuntimeEnvironmentConfigForDevelopment = _ref => {
|
|
|
1223
1239
|
if (isProd) {
|
|
1224
1240
|
return undefined;
|
|
1225
1241
|
}
|
|
1226
|
-
const oidcConfig = omitEmpty__default
|
|
1242
|
+
const oidcConfig = omitEmpty__default.default(_objectSpread(_objectSpread({
|
|
1227
1243
|
authorizeUrl: [
|
|
1228
1244
|
// In case the MC API url points to localhost, we need to point
|
|
1229
1245
|
// to a local running dev login page to handle the workflow properly.
|
|
@@ -1244,7 +1260,7 @@ const getRuntimeEnvironmentConfigForDevelopment = _ref => {
|
|
|
1244
1260
|
if (isCustomViewData(configurationData)) {
|
|
1245
1261
|
const hostUriPath = appConfig.env.development.hostUriPath;
|
|
1246
1262
|
const defaultHostUriPath = oidcConfig.initialProjectKey ? `/${oidcConfig.initialProjectKey}/${entryPointUriPath}` : `/${entryPointUriPath}`;
|
|
1247
|
-
const hostUrl = new _URL__default
|
|
1263
|
+
const hostUrl = new _URL__default.default(hostUriPath || defaultHostUriPath, developmentAppUrl);
|
|
1248
1264
|
return omitDevConfigIfEmpty({
|
|
1249
1265
|
oidc: oidcConfig,
|
|
1250
1266
|
customViewConfig: configurationData,
|
|
@@ -1291,7 +1307,7 @@ const getRuntimeEnvironmentConfig = _ref2 => {
|
|
|
1291
1307
|
appConfig,
|
|
1292
1308
|
entryPointUriPath
|
|
1293
1309
|
});
|
|
1294
|
-
return _objectSpread(_objectSpread(_objectSpread({}, omitEmpty__default
|
|
1310
|
+
return _objectSpread(_objectSpread(_objectSpread({}, omitEmpty__default.default(additionalAppEnv)), {}, {
|
|
1295
1311
|
cdnUrl: cdnUrl.href,
|
|
1296
1312
|
env: appEnvKey,
|
|
1297
1313
|
frontendHost: appUrl.host,
|
|
@@ -1322,7 +1338,7 @@ const processConfig = async function () {
|
|
|
1322
1338
|
_ref3$processEnv = _ref3.processEnv,
|
|
1323
1339
|
processEnv = _ref3$processEnv === void 0 ? process.env : _ref3$processEnv,
|
|
1324
1340
|
_ref3$applicationPath = _ref3.applicationPath,
|
|
1325
|
-
applicationPath = _ref3$applicationPath === void 0 ? fs__default$1
|
|
1341
|
+
applicationPath = _ref3$applicationPath === void 0 ? fs__default$1.default.realpathSync(process.cwd()) : _ref3$applicationPath;
|
|
1326
1342
|
if (cachedConfig && !disableCache) return cachedConfig;
|
|
1327
1343
|
const _await$loadConfig = await loadConfig(applicationPath),
|
|
1328
1344
|
filepath = _await$loadConfig.filepath,
|
|
@@ -1342,12 +1358,12 @@ const processConfig = async function () {
|
|
|
1342
1358
|
// Parse all the supported URLs, which gets implicitly validated
|
|
1343
1359
|
|
|
1344
1360
|
const envAppUrl = isProd ? configurationData.url : developmentAppUrl;
|
|
1345
|
-
const appUrl = getOrThrow(() => new _URL__default
|
|
1361
|
+
const appUrl = getOrThrow(() => new _URL__default.default(envAppUrl), `Invalid application URL: "${envAppUrl}"`);
|
|
1346
1362
|
|
|
1347
1363
|
// Use `||` instead of `??` to include empty string values.
|
|
1348
1364
|
const envCdnUrl = isProd ? appConfig.env.production.cdnUrl || appUrl.href : developmentAppUrl;
|
|
1349
|
-
const cdnUrl = getOrThrow(() => new _URL__default
|
|
1350
|
-
const mcApiUrl = getOrThrow(() => new _URL__default
|
|
1365
|
+
const cdnUrl = getOrThrow(() => new _URL__default.default(envCdnUrl), `Invalid application CDN URL: "${envCdnUrl}"`);
|
|
1366
|
+
const mcApiUrl = getOrThrow(() => new _URL__default.default(
|
|
1351
1367
|
// Use `||` instead of `??` to include empty string values.
|
|
1352
1368
|
appConfig.mcApiUrl || mapCloudIdentifierToApiUrl(appConfig.cloudIdentifier)), `Invalid MC API URL: "${appConfig.mcApiUrl}"`);
|
|
1353
1369
|
cachedConfig = {
|
|
@@ -1371,7 +1387,7 @@ const processConfig = async function () {
|
|
|
1371
1387
|
// the CSP point of view, it will say only the file `app` can be used as a source, so
|
|
1372
1388
|
// any other file from that domain will be forbidden. Using the slash (ex: https://www.my-domain.com/app/)
|
|
1373
1389
|
// at the end it's like using a wildcard so anything 'below' `app` will be allowed.
|
|
1374
|
-
'connect-src': getUniqueValues(appConfig.headers?.csp?.['connect-src'], _concatInstanceProperty__default
|
|
1390
|
+
'connect-src': getUniqueValues(appConfig.headers?.csp?.['connect-src'], _concatInstanceProperty__default.default(_context = [mcApiUrl.origin]).call(_context, isProd ? [`${trimTrailingSlash(appUrl.href)}/`, `${trimTrailingSlash(cdnUrl.href)}/`] : [])),
|
|
1375
1391
|
'script-src': getUniqueValues(appConfig.headers?.csp?.['script-src'], isProd ? [`${trimTrailingSlash(appUrl.href)}/`, `${trimTrailingSlash(cdnUrl.href)}/`] : []),
|
|
1376
1392
|
'style-src': getUniqueValues(appConfig.headers?.csp?.['style-src'], isProd ? [`${trimTrailingSlash(appUrl.href)}/`, `${trimTrailingSlash(cdnUrl.href)}/`] : [])
|
|
1377
1393
|
})
|
|
@@ -1381,7 +1397,7 @@ const processConfig = async function () {
|
|
|
1381
1397
|
};
|
|
1382
1398
|
|
|
1383
1399
|
const jsdom = new jsdom$1.JSDOM('');
|
|
1384
|
-
const DOMPurify = createDOMPurify__default
|
|
1400
|
+
const DOMPurify = createDOMPurify__default.default(jsdom.window);
|
|
1385
1401
|
function sanitizeSvg(data) {
|
|
1386
1402
|
return DOMPurify.sanitize(data, {
|
|
1387
1403
|
USE_PROFILES: {
|
|
@@ -1393,11 +1409,11 @@ function sanitizeSvg(data) {
|
|
|
1393
1409
|
});
|
|
1394
1410
|
}
|
|
1395
1411
|
|
|
1396
|
-
Object.defineProperty(exports,
|
|
1412
|
+
Object.defineProperty(exports, "ENTRY_POINT_URI_PATH_REGEX", {
|
|
1397
1413
|
enumerable: true,
|
|
1398
1414
|
get: function () { return constants.ENTRY_POINT_URI_PATH_REGEX; }
|
|
1399
1415
|
});
|
|
1400
|
-
Object.defineProperty(exports,
|
|
1416
|
+
Object.defineProperty(exports, "PERMISSION_GROUP_NAME_REGEX", {
|
|
1401
1417
|
enumerable: true,
|
|
1402
1418
|
get: function () { return constants.PERMISSION_GROUP_NAME_REGEX; }
|
|
1403
1419
|
});
|
|
@@ -34,7 +34,7 @@ import _JSON$stringify from '@babel/runtime-corejs3/core-js-stable/json/stringif
|
|
|
34
34
|
import path$1 from 'path';
|
|
35
35
|
import _reduceInstanceProperty from '@babel/runtime-corejs3/core-js-stable/instance/reduce';
|
|
36
36
|
import _bindInstanceProperty from '@babel/runtime-corejs3/core-js-stable/instance/bind';
|
|
37
|
-
import { f as formatEntryPointUriPathToResourceAccessKey,
|
|
37
|
+
import { f as formatEntryPointUriPathToResourceAccessKey, b as entryPointUriPathToResourceAccesses } from './formatters-CR1HIN8T.esm.js';
|
|
38
38
|
import _Set from '@babel/runtime-corejs3/core-js-stable/set';
|
|
39
39
|
import _Array$isArray from '@babel/runtime-corejs3/core-js-stable/array/is-array';
|
|
40
40
|
import Ajv from 'ajv';
|
|
@@ -231,41 +231,59 @@ const substituteFilePathVariablePlaceholder = (valueOfPlaceholder, matchedString
|
|
|
231
231
|
const _valueOfPlaceholder$s5 = valueOfPlaceholder.split(':'),
|
|
232
232
|
_valueOfPlaceholder$s6 = _slicedToArray(_valueOfPlaceholder$s5, 2),
|
|
233
233
|
filePathOrModule = _valueOfPlaceholder$s6[1];
|
|
234
|
+
|
|
235
|
+
// Security check: Prevent path traversal attacks.
|
|
236
|
+
// Two strategies depending on whether the specifier is a bare module name
|
|
237
|
+
// (e.g. "@scope/pkg/file.svg") or a relative/absolute path (e.g. "./app.svg").
|
|
238
|
+
const isModuleName = !_startsWithInstanceProperty(filePathOrModule).call(filePathOrModule, '.') && !_startsWithInstanceProperty(filePathOrModule).call(filePathOrModule, '/');
|
|
239
|
+
if (isModuleName) {
|
|
240
|
+
// Bare module specifiers are resolved by require.resolve through
|
|
241
|
+
// node_modules, linked packages, or Yarn PnP — all legitimate locations
|
|
242
|
+
// that may be outside the workspace root (e.g. hoisted deps in CI).
|
|
243
|
+
// We skip the workspace root check for these, but we must block ".."
|
|
244
|
+
// segments in the specifier itself — those are the only way to make
|
|
245
|
+
// require.resolve escape module directories and reach arbitrary files
|
|
246
|
+
// (e.g. "some-pkg/../../../../etc/passwd" resolves through node_modules
|
|
247
|
+
// to /etc/passwd).
|
|
248
|
+
const normalizedSpecifier = path$1.posix.normalize(filePathOrModule);
|
|
249
|
+
if (_startsWithInstanceProperty(normalizedSpecifier).call(normalizedSpecifier, '..')) {
|
|
250
|
+
throw new Error(`Path traversal in module specifiers is not allowed: ${filePathOrModule}`);
|
|
251
|
+
}
|
|
252
|
+
}
|
|
234
253
|
const resolvedPath = require.resolve(filePathOrModule, {
|
|
235
254
|
paths: [loadingOptions.applicationPath]
|
|
236
255
|
});
|
|
237
|
-
|
|
238
|
-
// Security check: Prevent path traversal attacks.
|
|
239
|
-
// require.resolve() already provides protection by only resolving modules
|
|
240
|
-
// accessible from the applicationPath. However, we add an extra layer to
|
|
241
|
-
// prevent access to sensitive system files outside the workspace.
|
|
242
256
|
const normalizedPath = path$1.normalize(resolvedPath);
|
|
243
|
-
|
|
257
|
+
if (!isModuleName) {
|
|
258
|
+
// For relative/absolute paths, verify the resolved path is within the
|
|
259
|
+
// workspace root. require.resolve() already provides some protection by
|
|
260
|
+
// only resolving from applicationPath, but we add an extra layer to
|
|
261
|
+
// prevent access to sensitive system files outside the workspace.
|
|
262
|
+
const applicationPath = path$1.normalize(loadingOptions.applicationPath);
|
|
244
263
|
|
|
245
|
-
|
|
246
|
-
|
|
247
|
-
|
|
248
|
-
|
|
249
|
-
|
|
250
|
-
|
|
251
|
-
|
|
252
|
-
|
|
253
|
-
|
|
254
|
-
|
|
255
|
-
|
|
256
|
-
|
|
257
|
-
|
|
264
|
+
// Find workspace root by traversing up from applicationPath until we find
|
|
265
|
+
// package.json, pnpm-workspace.yaml, or reach root
|
|
266
|
+
let workspaceRoot = applicationPath;
|
|
267
|
+
let currentPath = applicationPath;
|
|
268
|
+
const rootPath = path$1.parse(currentPath).root;
|
|
269
|
+
while (currentPath !== rootPath) {
|
|
270
|
+
const hasPackageJson = fs$1.existsSync(path$1.join(currentPath, 'package.json'));
|
|
271
|
+
const hasWorkspaceConfig = fs$1.existsSync(path$1.join(currentPath, 'pnpm-workspace.yaml')) || fs$1.existsSync(path$1.join(currentPath, 'lerna.json'));
|
|
272
|
+
if (hasPackageJson) {
|
|
273
|
+
workspaceRoot = currentPath;
|
|
274
|
+
if (hasWorkspaceConfig) {
|
|
275
|
+
// Found workspace root
|
|
276
|
+
break;
|
|
277
|
+
}
|
|
258
278
|
}
|
|
279
|
+
currentPath = path$1.dirname(currentPath);
|
|
280
|
+
}
|
|
281
|
+
const relativePath = path$1.relative(workspaceRoot, normalizedPath);
|
|
282
|
+
// Use path.relative() to avoid string prefix vulnerabilities (e.g., "/app" vs "/app-evil")
|
|
283
|
+
const isSafePath = !_startsWithInstanceProperty(relativePath).call(relativePath, '..') && !path$1.isAbsolute(relativePath);
|
|
284
|
+
if (!isSafePath) {
|
|
285
|
+
throw new Error(`Access to files outside workspace directory is not allowed: ${filePathOrModule}`);
|
|
259
286
|
}
|
|
260
|
-
currentPath = path$1.dirname(currentPath);
|
|
261
|
-
}
|
|
262
|
-
const relativePath = path$1.relative(workspaceRoot, normalizedPath);
|
|
263
|
-
|
|
264
|
-
// Path is safe if it's within the workspace root.
|
|
265
|
-
// Use path.relative() to avoid string prefix vulnerabilities (e.g., "/app" vs "/app-evil")
|
|
266
|
-
const isSafePath = !_startsWithInstanceProperty(relativePath).call(relativePath, '..') && !path$1.isAbsolute(relativePath);
|
|
267
|
-
if (!isSafePath) {
|
|
268
|
-
throw new Error(`Access to files outside workspace directory is not allowed: ${filePathOrModule}`);
|
|
269
287
|
}
|
|
270
288
|
const content = fs$1.readFileSync(normalizedPath, {
|
|
271
289
|
encoding: 'utf-8'
|
|
@@ -1027,7 +1045,7 @@ const validateAdditionalOAuthScopes = config => {
|
|
|
1027
1045
|
};
|
|
1028
1046
|
|
|
1029
1047
|
function ownKeys$1(e, r) { var t = _Object$keys(e); if (_Object$getOwnPropertySymbols) { var o = _Object$getOwnPropertySymbols(e); r && (o = _filterInstanceProperty(o).call(o, function (r) { return _Object$getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
|
|
1030
|
-
function _objectSpread$1(e) { for (var r = 1; r < arguments.length; r++) { var _context6, _context7; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty(_context6 = ownKeys$1(Object(t),
|
|
1048
|
+
function _objectSpread$1(e) { for (var r = 1; r < arguments.length; r++) { var _context6, _context7; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty(_context6 = ownKeys$1(Object(t), true)).call(_context6, function (r) { _defineProperty(e, r, t[r]); }) : _Object$getOwnPropertyDescriptors ? _Object$defineProperties(e, _Object$getOwnPropertyDescriptors(t)) : _forEachInstanceProperty(_context7 = ownKeys$1(Object(t))).call(_context7, function (r) { _Object$defineProperty(e, r, _Object$getOwnPropertyDescriptor(t, r)); }); } return e; }
|
|
1031
1049
|
|
|
1032
1050
|
// The `uriPath` of each submenu link is supposed to be defined relative
|
|
1033
1051
|
// to the `entryPointUriPath`. Computing the full path is done internally to keep
|
|
@@ -1160,7 +1178,7 @@ const getOrThrow = (fn, errorMessage) => {
|
|
|
1160
1178
|
};
|
|
1161
1179
|
|
|
1162
1180
|
function ownKeys(e, r) { var t = _Object$keys(e); if (_Object$getOwnPropertySymbols) { var o = _Object$getOwnPropertySymbols(e); r && (o = _filterInstanceProperty(o).call(o, function (r) { return _Object$getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
|
|
1163
|
-
function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var _context2, _context3; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty(_context2 = ownKeys(Object(t),
|
|
1181
|
+
function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var _context2, _context3; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty(_context2 = ownKeys(Object(t), true)).call(_context2, function (r) { _defineProperty(e, r, t[r]); }) : _Object$getOwnPropertyDescriptors ? _Object$defineProperties(e, _Object$getOwnPropertyDescriptors(t)) : _forEachInstanceProperty(_context3 = ownKeys(Object(t))).call(_context3, function (r) { _Object$defineProperty(e, r, _Object$getOwnPropertyDescriptor(t, r)); }); } return e; }
|
|
1164
1182
|
// TODO: make it configurable.
|
|
1165
1183
|
const developmentPort = 3001;
|
|
1166
1184
|
const developmentAppUrl = `http://localhost:${developmentPort}`;
|
|
@@ -15,7 +15,7 @@ import upperFirst from 'lodash/upperFirst';
|
|
|
15
15
|
import { CUSTOM_VIEW_HOST_ENTRY_POINT_URI_PATH } from '@commercetools-frontend/constants';
|
|
16
16
|
|
|
17
17
|
function ownKeys(e, r) { var t = _Object$keys(e); if (_Object$getOwnPropertySymbols) { var o = _Object$getOwnPropertySymbols(e); r && (o = _filterInstanceProperty(o).call(o, function (r) { return _Object$getOwnPropertyDescriptor(e, r).enumerable; })), t.push.apply(t, o); } return t; }
|
|
18
|
-
function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var _context6, _context7; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty(_context6 = ownKeys(Object(t),
|
|
18
|
+
function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var _context6, _context7; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty(_context6 = ownKeys(Object(t), true)).call(_context6, function (r) { _defineProperty(e, r, t[r]); }) : _Object$getOwnPropertyDescriptors ? _Object$defineProperties(e, _Object$getOwnPropertyDescriptors(t)) : _forEachInstanceProperty(_context7 = ownKeys(Object(t))).call(_context7, function (r) { _Object$defineProperty(e, r, _Object$getOwnPropertyDescriptor(t, r)); }); } return e; }
|
|
19
19
|
/**
|
|
20
20
|
* The function formats the `entryPointUriPath` to a resource access key.
|
|
21
21
|
* It makes the first character of the string and the next character after a special character an uppercase.
|
|
@@ -98,4 +98,4 @@ function entryPointUriPathToPermissionKeys(entryPointUriPath, permissionGroupNam
|
|
|
98
98
|
}, {});
|
|
99
99
|
}
|
|
100
100
|
|
|
101
|
-
export {
|
|
101
|
+
export { computeCustomViewResourceAccesses as a, entryPointUriPathToResourceAccesses as b, computeCustomViewPermissionsKeys as c, formatPermissionGroupNameToResourceAccessKey as d, entryPointUriPathToPermissionKeys as e, formatEntryPointUriPathToResourceAccessKey as f };
|
|
@@ -16,7 +16,7 @@ var _Object$entries = require('@babel/runtime-corejs3/core-js-stable/object/entr
|
|
|
16
16
|
var upperFirst = require('lodash/upperFirst');
|
|
17
17
|
var constants = require('@commercetools-frontend/constants');
|
|
18
18
|
|
|
19
|
-
function _interopDefault (e) { return e && e.__esModule ? e : {
|
|
19
|
+
function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
|
|
20
20
|
|
|
21
21
|
var _Object$keys__default = /*#__PURE__*/_interopDefault(_Object$keys);
|
|
22
22
|
var _Object$getOwnPropertySymbols__default = /*#__PURE__*/_interopDefault(_Object$getOwnPropertySymbols);
|
|
@@ -31,8 +31,8 @@ var _reduceInstanceProperty__default = /*#__PURE__*/_interopDefault(_reduceInsta
|
|
|
31
31
|
var _Object$entries__default = /*#__PURE__*/_interopDefault(_Object$entries);
|
|
32
32
|
var upperFirst__default = /*#__PURE__*/_interopDefault(upperFirst);
|
|
33
33
|
|
|
34
|
-
function ownKeys(e, r) { var t = _Object$keys__default
|
|
35
|
-
function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var _context6, _context7; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty__default
|
|
34
|
+
function ownKeys(e, r) { var t = _Object$keys__default.default(e); if (_Object$getOwnPropertySymbols__default.default) { var o = _Object$getOwnPropertySymbols__default.default(e); r && (o = _filterInstanceProperty__default.default(o).call(o, function (r) { return _Object$getOwnPropertyDescriptor__default.default(e, r).enumerable; })), t.push.apply(t, o); } return t; }
|
|
35
|
+
function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var _context6, _context7; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty__default.default(_context6 = ownKeys(Object(t), true)).call(_context6, function (r) { _defineProperty(e, r, t[r]); }) : _Object$getOwnPropertyDescriptors__default.default ? _Object$defineProperties__default.default(e, _Object$getOwnPropertyDescriptors__default.default(t)) : _forEachInstanceProperty__default.default(_context7 = ownKeys(Object(t))).call(_context7, function (r) { _Object$defineProperty__default.default(e, r, _Object$getOwnPropertyDescriptor__default.default(t, r)); }); } return e; }
|
|
36
36
|
/**
|
|
37
37
|
* The function formats the `entryPointUriPath` to a resource access key.
|
|
38
38
|
* It makes the first character of the string and the next character after a special character an uppercase.
|
|
@@ -47,11 +47,11 @@ function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var _co
|
|
|
47
47
|
*/
|
|
48
48
|
const formatEntryPointUriPathToResourceAccessKey = entryPointUriPath => {
|
|
49
49
|
var _context, _context2;
|
|
50
|
-
return _mapInstanceProperty__default
|
|
50
|
+
return _mapInstanceProperty__default.default(_context = _mapInstanceProperty__default.default(_context2 = entryPointUriPath
|
|
51
51
|
// Splits the string by underscore.
|
|
52
52
|
.split('_')
|
|
53
53
|
// Uppercase the first character of each word split.
|
|
54
|
-
).call(_context2, upperFirst__default
|
|
54
|
+
).call(_context2, upperFirst__default.default)
|
|
55
55
|
// Join the words by an underscore.
|
|
56
56
|
.join('_')
|
|
57
57
|
// Each word is split by a hyphen.
|
|
@@ -62,7 +62,7 @@ const formatEntryPointUriPathToResourceAccessKey = entryPointUriPath => {
|
|
|
62
62
|
if (i > 0 && /^\d+$/.test(word[0])) {
|
|
63
63
|
return `/${word}`;
|
|
64
64
|
}
|
|
65
|
-
return upperFirst__default
|
|
65
|
+
return upperFirst__default.default(word);
|
|
66
66
|
}).join('');
|
|
67
67
|
};
|
|
68
68
|
|
|
@@ -76,9 +76,9 @@ const formatEntryPointUriPathToResourceAccessKey = entryPointUriPath => {
|
|
|
76
76
|
*/
|
|
77
77
|
const formatPermissionGroupNameToResourceAccessKey = permissionGroupName => {
|
|
78
78
|
var _context3;
|
|
79
|
-
return _mapInstanceProperty__default
|
|
79
|
+
return _mapInstanceProperty__default.default(_context3 = permissionGroupName
|
|
80
80
|
// Each word is split by a hyphen.
|
|
81
|
-
.split('-')).call(_context3, upperFirst__default
|
|
81
|
+
.split('-')).call(_context3, upperFirst__default.default).join('');
|
|
82
82
|
};
|
|
83
83
|
function entryPointUriPathToResourceAccesses(entryPointUriPath, permissionGroupNames) {
|
|
84
84
|
var _context4;
|
|
@@ -87,7 +87,7 @@ function entryPointUriPathToResourceAccesses(entryPointUriPath, permissionGroupN
|
|
|
87
87
|
view: `view${resourceAccessKey}`,
|
|
88
88
|
manage: `manage${resourceAccessKey}`
|
|
89
89
|
};
|
|
90
|
-
const additionalResourceAccesses = _reduceInstanceProperty__default
|
|
90
|
+
const additionalResourceAccesses = _reduceInstanceProperty__default.default(_context4 = permissionGroupNames ?? []).call(_context4, (resourceAccesses, permissionGroupName) => {
|
|
91
91
|
const additionalResourceAccessKey = formatPermissionGroupNameToResourceAccessKey(permissionGroupName);
|
|
92
92
|
return _objectSpread(_objectSpread({}, resourceAccesses), {}, {
|
|
93
93
|
[`view${additionalResourceAccessKey}`]: `${defaultResourceAccesses.view}${additionalResourceAccessKey}`,
|
|
@@ -105,12 +105,12 @@ function computeCustomViewPermissionsKeys(permissionGroupNames) {
|
|
|
105
105
|
function entryPointUriPathToPermissionKeys(entryPointUriPath, permissionGroupNames) {
|
|
106
106
|
var _context5;
|
|
107
107
|
const resourceAccesses = entryPointUriPathToResourceAccesses(entryPointUriPath, permissionGroupNames ?? []);
|
|
108
|
-
return _reduceInstanceProperty__default
|
|
108
|
+
return _reduceInstanceProperty__default.default(_context5 = _Object$entries__default.default(resourceAccesses)).call(_context5, (permissionKeys, _ref) => {
|
|
109
109
|
let _ref2 = _slicedToArray(_ref, 2),
|
|
110
110
|
resourceAccessKey = _ref2[0],
|
|
111
111
|
resourceAccessValue = _ref2[1];
|
|
112
112
|
return _objectSpread(_objectSpread({}, permissionKeys), {}, {
|
|
113
|
-
[upperFirst__default
|
|
113
|
+
[upperFirst__default.default(resourceAccessKey)]: upperFirst__default.default(resourceAccessValue)
|
|
114
114
|
});
|
|
115
115
|
}, {});
|
|
116
116
|
}
|
|
@@ -16,7 +16,7 @@ var _Object$entries = require('@babel/runtime-corejs3/core-js-stable/object/entr
|
|
|
16
16
|
var upperFirst = require('lodash/upperFirst');
|
|
17
17
|
var constants = require('@commercetools-frontend/constants');
|
|
18
18
|
|
|
19
|
-
function _interopDefault (e) { return e && e.__esModule ? e : {
|
|
19
|
+
function _interopDefault (e) { return e && e.__esModule ? e : { default: e }; }
|
|
20
20
|
|
|
21
21
|
var _Object$keys__default = /*#__PURE__*/_interopDefault(_Object$keys);
|
|
22
22
|
var _Object$getOwnPropertySymbols__default = /*#__PURE__*/_interopDefault(_Object$getOwnPropertySymbols);
|
|
@@ -31,8 +31,8 @@ var _reduceInstanceProperty__default = /*#__PURE__*/_interopDefault(_reduceInsta
|
|
|
31
31
|
var _Object$entries__default = /*#__PURE__*/_interopDefault(_Object$entries);
|
|
32
32
|
var upperFirst__default = /*#__PURE__*/_interopDefault(upperFirst);
|
|
33
33
|
|
|
34
|
-
function ownKeys(e, r) { var t = _Object$keys__default
|
|
35
|
-
function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var _context6, _context7; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty__default
|
|
34
|
+
function ownKeys(e, r) { var t = _Object$keys__default.default(e); if (_Object$getOwnPropertySymbols__default.default) { var o = _Object$getOwnPropertySymbols__default.default(e); r && (o = _filterInstanceProperty__default.default(o).call(o, function (r) { return _Object$getOwnPropertyDescriptor__default.default(e, r).enumerable; })), t.push.apply(t, o); } return t; }
|
|
35
|
+
function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var _context6, _context7; var t = null != arguments[r] ? arguments[r] : {}; r % 2 ? _forEachInstanceProperty__default.default(_context6 = ownKeys(Object(t), true)).call(_context6, function (r) { _defineProperty(e, r, t[r]); }) : _Object$getOwnPropertyDescriptors__default.default ? _Object$defineProperties__default.default(e, _Object$getOwnPropertyDescriptors__default.default(t)) : _forEachInstanceProperty__default.default(_context7 = ownKeys(Object(t))).call(_context7, function (r) { _Object$defineProperty__default.default(e, r, _Object$getOwnPropertyDescriptor__default.default(t, r)); }); } return e; }
|
|
36
36
|
/**
|
|
37
37
|
* The function formats the `entryPointUriPath` to a resource access key.
|
|
38
38
|
* It makes the first character of the string and the next character after a special character an uppercase.
|
|
@@ -47,11 +47,11 @@ function _objectSpread(e) { for (var r = 1; r < arguments.length; r++) { var _co
|
|
|
47
47
|
*/
|
|
48
48
|
const formatEntryPointUriPathToResourceAccessKey = entryPointUriPath => {
|
|
49
49
|
var _context, _context2;
|
|
50
|
-
return _mapInstanceProperty__default
|
|
50
|
+
return _mapInstanceProperty__default.default(_context = _mapInstanceProperty__default.default(_context2 = entryPointUriPath
|
|
51
51
|
// Splits the string by underscore.
|
|
52
52
|
.split('_')
|
|
53
53
|
// Uppercase the first character of each word split.
|
|
54
|
-
).call(_context2, upperFirst__default
|
|
54
|
+
).call(_context2, upperFirst__default.default)
|
|
55
55
|
// Join the words by an underscore.
|
|
56
56
|
.join('_')
|
|
57
57
|
// Each word is split by a hyphen.
|
|
@@ -62,7 +62,7 @@ const formatEntryPointUriPathToResourceAccessKey = entryPointUriPath => {
|
|
|
62
62
|
if (i > 0 && /^\d+$/.test(word[0])) {
|
|
63
63
|
return `/${word}`;
|
|
64
64
|
}
|
|
65
|
-
return upperFirst__default
|
|
65
|
+
return upperFirst__default.default(word);
|
|
66
66
|
}).join('');
|
|
67
67
|
};
|
|
68
68
|
|
|
@@ -76,9 +76,9 @@ const formatEntryPointUriPathToResourceAccessKey = entryPointUriPath => {
|
|
|
76
76
|
*/
|
|
77
77
|
const formatPermissionGroupNameToResourceAccessKey = permissionGroupName => {
|
|
78
78
|
var _context3;
|
|
79
|
-
return _mapInstanceProperty__default
|
|
79
|
+
return _mapInstanceProperty__default.default(_context3 = permissionGroupName
|
|
80
80
|
// Each word is split by a hyphen.
|
|
81
|
-
.split('-')).call(_context3, upperFirst__default
|
|
81
|
+
.split('-')).call(_context3, upperFirst__default.default).join('');
|
|
82
82
|
};
|
|
83
83
|
function entryPointUriPathToResourceAccesses(entryPointUriPath, permissionGroupNames) {
|
|
84
84
|
var _context4;
|
|
@@ -87,7 +87,7 @@ function entryPointUriPathToResourceAccesses(entryPointUriPath, permissionGroupN
|
|
|
87
87
|
view: `view${resourceAccessKey}`,
|
|
88
88
|
manage: `manage${resourceAccessKey}`
|
|
89
89
|
};
|
|
90
|
-
const additionalResourceAccesses = _reduceInstanceProperty__default
|
|
90
|
+
const additionalResourceAccesses = _reduceInstanceProperty__default.default(_context4 = permissionGroupNames ?? []).call(_context4, (resourceAccesses, permissionGroupName) => {
|
|
91
91
|
const additionalResourceAccessKey = formatPermissionGroupNameToResourceAccessKey(permissionGroupName);
|
|
92
92
|
return _objectSpread(_objectSpread({}, resourceAccesses), {}, {
|
|
93
93
|
[`view${additionalResourceAccessKey}`]: `${defaultResourceAccesses.view}${additionalResourceAccessKey}`,
|
|
@@ -105,12 +105,12 @@ function computeCustomViewPermissionsKeys(permissionGroupNames) {
|
|
|
105
105
|
function entryPointUriPathToPermissionKeys(entryPointUriPath, permissionGroupNames) {
|
|
106
106
|
var _context5;
|
|
107
107
|
const resourceAccesses = entryPointUriPathToResourceAccesses(entryPointUriPath, permissionGroupNames ?? []);
|
|
108
|
-
return _reduceInstanceProperty__default
|
|
108
|
+
return _reduceInstanceProperty__default.default(_context5 = _Object$entries__default.default(resourceAccesses)).call(_context5, (permissionKeys, _ref) => {
|
|
109
109
|
let _ref2 = _slicedToArray(_ref, 2),
|
|
110
110
|
resourceAccessKey = _ref2[0],
|
|
111
111
|
resourceAccessValue = _ref2[1];
|
|
112
112
|
return _objectSpread(_objectSpread({}, permissionKeys), {}, {
|
|
113
|
-
[upperFirst__default
|
|
113
|
+
[upperFirst__default.default(resourceAccessKey)]: upperFirst__default.default(resourceAccessValue)
|
|
114
114
|
});
|
|
115
115
|
}, {});
|
|
116
116
|
}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@commercetools-frontend/application-config",
|
|
3
|
-
"version": "27.5.
|
|
3
|
+
"version": "27.5.3",
|
|
4
4
|
"description": "Configuration utilities for building Custom Applications",
|
|
5
5
|
"bugs": "https://github.com/commercetools/merchant-center-application-kit/issues",
|
|
6
6
|
"repository": {
|
|
@@ -45,7 +45,7 @@
|
|
|
45
45
|
"@babel/register": "^7.22.15",
|
|
46
46
|
"@babel/runtime": "^7.22.15",
|
|
47
47
|
"@babel/runtime-corejs3": "^7.22.15",
|
|
48
|
-
"@commercetools-frontend/constants": "27.5.
|
|
48
|
+
"@commercetools-frontend/constants": "27.5.3",
|
|
49
49
|
"@types/lodash": "^4.14.198",
|
|
50
50
|
"@types/react": "^19.0.3",
|
|
51
51
|
"ajv": "8.18.0",
|
|
@@ -60,7 +60,7 @@
|
|
|
60
60
|
"devDependencies": {
|
|
61
61
|
"@types/jsdom": "^21.1.2",
|
|
62
62
|
"json-schema-to-typescript": "15.0.4",
|
|
63
|
-
"@commercetools-frontend/assets": "27.5.
|
|
63
|
+
"@commercetools-frontend/assets": "27.5.3"
|
|
64
64
|
},
|
|
65
65
|
"engines": {
|
|
66
66
|
"node": "18.x || 20.x || >=22.0.0"
|
|
@@ -1,8 +1,6 @@
|
|
|
1
1
|
'use strict';
|
|
2
2
|
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
var formatters = require('../../dist/formatters-5a68b5ac.cjs.dev.js');
|
|
3
|
+
var formatters = require('../../dist/formatters-CWjiv2VA.cjs.dev.js');
|
|
6
4
|
require('@babel/runtime-corejs3/core-js-stable/object/keys');
|
|
7
5
|
require('@babel/runtime-corejs3/core-js-stable/object/get-own-property-symbols');
|
|
8
6
|
require('@babel/runtime-corejs3/core-js-stable/instance/filter');
|
|
@@ -1,8 +1,6 @@
|
|
|
1
1
|
'use strict';
|
|
2
2
|
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-
var formatters = require('../../dist/formatters-4515015b.cjs.prod.js');
|
|
3
|
+
var formatters = require('../../dist/formatters-CWjiv2VA.cjs.prod.js');
|
|
6
4
|
require('@babel/runtime-corejs3/core-js-stable/object/keys');
|
|
7
5
|
require('@babel/runtime-corejs3/core-js-stable/object/get-own-property-symbols');
|
|
8
6
|
require('@babel/runtime-corejs3/core-js-stable/instance/filter');
|
|
@@ -1,4 +1,4 @@
|
|
|
1
|
-
export {
|
|
1
|
+
export { c as computeCustomViewPermissionsKeys, a as computeCustomViewResourceAccesses, e as entryPointUriPathToPermissionKeys, b as entryPointUriPathToResourceAccesses, f as formatEntryPointUriPathToResourceAccessKey, d as formatPermissionGroupNameToResourceAccessKey } from '../../dist/formatters-CR1HIN8T.esm.js';
|
|
2
2
|
import '@babel/runtime-corejs3/core-js-stable/object/keys';
|
|
3
3
|
import '@babel/runtime-corejs3/core-js-stable/object/get-own-property-symbols';
|
|
4
4
|
import '@babel/runtime-corejs3/core-js-stable/instance/filter';
|