@contentful/app-scripts 2.5.10 → 2.5.11

package/lib/generate-function/clone.d.ts

@@ -9,6 +9,7 @@ export declare function resolvePaths(localPath: string): {
     localFunctionsPath: string;
 };
 export declare function cloneAndResolveManifests(cloneURL: string, localTmpPath: string, localPath: string, localFunctionsPath: string, keepPackageJson?: boolean): Promise<void>;
-export declare function clone(cloneURL: string, localFunctionsPath: string): Promise<any>;
+export declare function removeIgnoredFiles(localTmpPath: string, ignoredFiles: string[]): void;
+export declare function clone(cloneURL: string, localFunctionsPath: string): Promise<void>;
 export declare function mergeAppManifest(localPath: string, localTmpPath: string): Promise<void>;
 export declare function updatePackageJsonWithBuild(localPath: string, localTmpPath: string): Promise<void>;

package/lib/generate-function/clone.js

@@ -3,10 +3,10 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.updatePackageJsonWithBuild = exports.mergeAppManifest = exports.clone = exports.cloneAndResolveManifests = exports.resolvePaths = exports.renameClonedFiles = exports.moveFilesToFinalDirectory = exports.touchupAppManifest = exports.getCloneURL = exports.cloneFunction = void 0;
-// eslint-disable-next-line @typescript-eslint/no-var-requires
-const tiged = require('tiged');
+exports.updatePackageJsonWithBuild = exports.mergeAppManifest = exports.clone = exports.removeIgnoredFiles = exports.cloneAndResolveManifests = exports.resolvePaths = exports.renameClonedFiles = exports.moveFilesToFinalDirectory = exports.touchupAppManifest = exports.getCloneURL = exports.cloneFunction = void 0;
 const node_fs_1 = __importDefault(require("node:fs"));
+const node_child_process_1 = require("node:child_process");
+const node_os_1 = require("node:os");
 const chalk_1 = __importDefault(require("chalk"));
 const node_path_1 = require("node:path");
 const constants_1 = require("./constants");
@@ -88,13 +88,13 @@ function renameClonedFiles(localTmpPath, settings) {
 }
 exports.renameClonedFiles = renameClonedFiles;
 function resolvePaths(localPath) {
-    const localTmpPath = (0, node_path_1.resolve)(localPath, 'tmp'); // we require a tmp directory because tiged overwrites all files in the target directory
+    const localTmpPath = (0, node_path_1.resolve)(localPath, 'tmp');
     const localFunctionsPath = (0, node_path_1.resolve)(localPath, 'functions');
     return { localTmpPath, localFunctionsPath };
 }
 exports.resolvePaths = resolvePaths;
 async function cloneAndResolveManifests(cloneURL, localTmpPath, localPath, localFunctionsPath, keepPackageJson = false) {
-    const tigedInstance = await clone(cloneURL, localTmpPath);
+    await clone(cloneURL, localTmpPath);
     // merge the manifest from the template folder to the root folder
     await mergeAppManifest(localPath, localTmpPath);
     // create a deep copy of the IGNORED_CLONED_FILES array
@@ -110,18 +110,85 @@ async function cloneAndResolveManifests(cloneURL, localTmpPath, localPath, local
         ignoredFiles.push('tsconfig.json');
     }
     // remove the cloned files that we've already merged
-    await tigedInstance.remove("unused_param", localTmpPath, {
-        action: 'remove',
-        files: ignoredFiles.map((fileName) => `${localTmpPath}/${fileName}`),
-    });
+    removeIgnoredFiles(localTmpPath, ignoredFiles);
 }
 exports.cloneAndResolveManifests = cloneAndResolveManifests;
+function removeIgnoredFiles(localTmpPath, ignoredFiles) {
+    for (const fileName of ignoredFiles) {
+        const filePath = (0, node_path_1.resolve)(localTmpPath, fileName);
+        if (node_fs_1.default.existsSync(filePath)) {
+            node_fs_1.default.rmSync(filePath, { recursive: true, force: true });
+        }
+    }
+}
+exports.removeIgnoredFiles = removeIgnoredFiles;
+// Parse the trusted REPO_URL constant to extract canonical owner, repo, and base path
+// REPO_URL format: https://github.com/contentful/apps/function-examples
+const REPO_URL_MATCH = constants_1.REPO_URL.match(/^https:\/\/github\.com\/([^/]+)\/([^/]+)\/(.+)$/);
+if (!REPO_URL_MATCH) {
+    throw new Error('Invalid REPO_URL constant configuration');
+}
+const [, CANONICAL_OWNER, CANONICAL_REPO, CANONICAL_BASE_PATH] = REPO_URL_MATCH;
+const CANONICAL_REPO_URL = `https://github.com/${CANONICAL_OWNER}/${CANONICAL_REPO}.git`;
+// Strict validation regex for subfolder path segments (alphanumeric, dash, underscore only)
+const SAFE_PATH_SEGMENT_REGEX = /^[a-zA-Z0-9_-]+$/;
 async function clone(cloneURL, localFunctionsPath) {
-    const tigedInstance = tiged(cloneURL, { mode: 'tar', disableCache: true, force: true });
-    await tigedInstance.clone(localFunctionsPath);
-    return tigedInstance;
+    // Validate that cloneURL starts with the trusted REPO_URL
+    if (!cloneURL.startsWith(constants_1.REPO_URL)) {
+        throw new Error(`Invalid clone URL: must start with ${constants_1.REPO_URL}`);
+    }
+    // Extract only the user-supplied portion (example/language) after REPO_URL
+    const userSuppliedPath = cloneURL.slice(constants_1.REPO_URL.length);
+    // Remove leading slash if present and validate format
+    const trimmedPath = userSuppliedPath.startsWith('/') ? userSuppliedPath.slice(1) : userSuppliedPath;
+    if (!trimmedPath) {
+        throw new Error('Invalid clone URL: missing example/language path');
+    }
+    // Validate each path segment for safe characters only
+    const pathSegments = trimmedPath.split('/');
+    for (const segment of pathSegments) {
+        if (!segment || !SAFE_PATH_SEGMENT_REGEX.test(segment)) {
+            throw new Error(`Invalid clone URL: path segment "${segment}" contains unsafe characters`);
+        }
+    }
+    // Build the full subfolder path from the trusted base + validated user path
+    const subfolderPath = `${CANONICAL_BASE_PATH}/${trimmedPath}`;
+    const tempDir = (0, node_path_1.resolve)((0, node_os_1.tmpdir)(), `contentful-clone-${Date.now()}-${Math.random().toString(36).substring(2, 11)}`);
+    try {
+        // Clone using ONLY the canonical repo URL derived from trusted REPO_URL constant
+        // execFileSync with array args prevents shell injection
+        (0, node_child_process_1.execFileSync)('git', ['clone', '--depth', '1', CANONICAL_REPO_URL, tempDir], { stdio: 'ignore' });
+        // Create destination directory
+        if (!node_fs_1.default.existsSync(localFunctionsPath)) {
+            node_fs_1.default.mkdirSync(localFunctionsPath, { recursive: true });
+        }
+        // Copy the subfolder contents to destination
+        const sourcePath = (0, node_path_1.resolve)(tempDir, subfolderPath);
+        if (!node_fs_1.default.existsSync(sourcePath)) {
+            throw new Error(`Subfolder not found: ${subfolderPath}`);
+        }
+        // Copy files using native fs.cpSync (Node 16.7+, safe from injection)
+        copyDirectoryContents(sourcePath, localFunctionsPath);
+    }
+    finally {
+        // Clean up temp directory using native fs (Node 14.14+)
+        try {
+            node_fs_1.default.rmSync(tempDir, { recursive: true, force: true });
+        }
+        catch {
+            // Ignore cleanup errors - temp directory will be cleaned by OS eventually
+        }
+    }
 }
 exports.clone = clone;
+function copyDirectoryContents(sourcePath, destPath) {
+    const entries = node_fs_1.default.readdirSync(sourcePath, { withFileTypes: true });
+    for (const entry of entries) {
+        const srcFile = (0, node_path_1.resolve)(sourcePath, entry.name);
+        const destFile = (0, node_path_1.resolve)(destPath, entry.name);
+        node_fs_1.default.cpSync(srcFile, destFile, { recursive: true });
+    }
+}
 async function mergeAppManifest(localPath, localTmpPath) {
     const finalAppManifestType = await (0, file_1.exists)((0, node_path_1.resolve)(localPath, constants_1.CONTENTFUL_APP_MANIFEST));
     const tmpAppManifestType = await (0, file_1.whichExists)(localTmpPath, [constants_1.CONTENTFUL_APP_MANIFEST, constants_1.APP_MANIFEST]); // find the app manifest in the cloned files

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@contentful/app-scripts",
-  "version": "2.5.10",
+  "version": "2.5.11",
   "description": "A collection of scripts for building Contentful Apps",
   "author": "Contentful GmbH",
   "license": "MIT",
@@ -49,7 +49,7 @@
   "dependencies": {
     "@esbuild-plugins/node-globals-polyfill": "^0.2.3",
     "@esbuild-plugins/node-modules-polyfill": "^0.2.2",
-    "@segment/analytics-node": "^2.0.0",
+    "@segment/analytics-node": "^3.0.0",
     "adm-zip": "0.5.16",
     "axios": "^1.13.5",
     "bottleneck": "2.19.5",
@@ -57,19 +57,18 @@
     "commander": "12.1.0",
     "contentful-management": "^11.48.1",
     "dotenv": "17.3.1",
-    "esbuild": "^0.27.0",
+    "esbuild": "^0.27.4",
     "ignore": "7.0.5",
     "inquirer": "8.2.7",
-    "lodash": "4.17.23",
+    "lodash": "4.18.1",
     "merge-options": "^3.0.4",
     "open": "8.4.2",
     "ora": "5.4.1",
-    "tiged": "^2.12.7",
     "zod": "^3.24.1"
   },
   "gitHead": "4c3506be3f52c7a8aae17deaa75acefc9a805b42",
   "devDependencies": {
-    "@types/adm-zip": "0.5.7",
+    "@types/adm-zip": "0.5.8",
     "@types/analytics-node": "3.1.14",
     "@types/chai": "4.3.16",
     "@types/inquirer": "8.2.1",
@@ -82,7 +81,7 @@
     "mocha": "11.7.5",
     "proxyquire": "2.1.3",
     "rimraf": "6.1.3",
-    "sinon": "21.0.1",
+    "sinon": "21.0.3",
     "ts-mocha": "11.1.0",
     "ts-node": "10.9.2"
   }