@ditojs/server 2.86.0 → 2.88.0

package/package.json

@@ -1,9 +1,9 @@
 {
   "name": "@ditojs/server",
-  "version": "2.86.0",
+  "version": "2.88.0",
   "type": "module",
   "description": "Dito.js Server – Dito.js is a declarative and modern web framework, based on Objection.js, Koa.js and Vue.js",
-  "repository": "https://github.com/ditojs/dito/tree/master/packages/server",
+  "repository": "https://github.com/ditojs/dito/tree/main/packages/server",
   "author": "Jürg Lehni <juerg@scratchdisk.com> (http://scratchdisk.com)",
   "license": "MIT",
   "main": "./src/index.js",
@@ -25,10 +25,10 @@
     "node >= 18"
   ],
   "dependencies": {
-    "@ditojs/admin": "^2.86.0",
-    "@ditojs/build": "^2.86.0",
-    "@ditojs/router": "^2.86.0",
-    "@ditojs/utils": "^2.86.0",
+    "@ditojs/admin": "^2.87.0",
+    "@ditojs/build": "^2.87.0",
+    "@ditojs/router": "^2.87.0",
+    "@ditojs/utils": "^2.87.0",
     "@koa/cors": "^5.0.0",
     "@koa/etag": "^5.0.2",
     "@koa/multer": "^4.0.0",
@@ -84,10 +84,11 @@
     "@types/koa-session": "^6.4.5",
     "@types/koa-static": "^4.0.4",
     "@types/koa__cors": "^5.0.1",
+    "@types/koa__multer": "^2.0.8",
     "@types/node": "^25.4.0",
     "knex": "^3.1.0",
     "objection": "^3.1.5",
     "typescript": "^5.9.3"
   },
-  "gitHead": "92bc92fbb077de992fe1422adee414b8a9967c09"
+  "gitHead": "1d413e8528f8a40e3cc7950db62ebeb4d687ce67"
 }

package/src/app/Application.js

@@ -40,6 +40,7 @@ import { Service } from '../services/index.js'
 import { Storage } from '../storage/index.js'
 import { convertSchema } from '../schema/index.js'
 import { getDuration, subtractDuration } from '../utils/duration.js'
+import { resolveFileUrl } from '../utils/asset.js'
 import {
   ResponseError,
   ValidationError,
@@ -997,8 +998,7 @@ export class Application extends Koa {
                   }...`
                 )
                 if (url.startsWith('file://')) {
-                  const filepath = path.resolve(url.substring(7))
-                  data = await fs.readFile(filepath)
+                  data = await fs.readFile(new URL(resolveFileUrl(url)))
                 } else {
                   const response = await fetch(url)
                   const arrayBuffer = await response.arrayBuffer()
@@ -1007,6 +1007,9 @@ export class Application extends Koa {
                 }
               }
               const importedFile = await storage.addFile(file, data)
+              // Sign the imported foreign file so it passes verification when
+              // createAssets() triggers $parseJson() → convertAssetFile().
+              storage.signAssetFile(importedFile)
               await this.createAssets(storage, [importedFile], 0, transaction)
               importedFiles.push(importedFile)
               // Merge back the changed file properties into the actual file

package/src/controllers/Controller.js

@@ -534,8 +534,12 @@ export class Controller {
     } else if (isFunction(authorize)) {
       return async (ctx, member) => {
         const res = await authorize(ctx, member)
-        // Pass res through `processAuthorize()` to support strings & arrays.
-        return this.processAuthorize(res)(ctx, member)
+        // Deny access if the function forgot to return a value.
+        // Otherwise pass res through `processAuthorize()` to
+        // support strings & arrays.
+        return res === undefined
+          ? false
+          : this.processAuthorize(res)(ctx, member)
       }
     } else if (isString(authorize) || isArray(authorize)) {
       return async (ctx, member) => {

package/src/mixins/AssetMixin.js

@@ -66,11 +66,13 @@ export const AssetMixin = mixin(
       }
 
       // @override
-      $parseJson(json) {
+      $parseJson(json, { trusted = false } = {}) {
         const { file, storage } = json
         // Convert `AssetMixin#file` to an `AssetFile` instance:
         if (file && storage) {
-          this.constructor.app.getStorage(storage)?.convertAssetFile(file)
+          this.constructor.app
+            .getStorage(storage)
+            ?.convertAssetFile(file, { trusted })
         }
         return json
       }

package/src/models/Model.js

@@ -609,11 +609,11 @@ export class Model extends objection.Model {
     }
     // Also run through normal $parseJson(), for handling of `Date` and
     // `AssetFile`.
-    return this.$parseJson(json)
+    return this.$parseJson(json, { trusted: true })
   }
 
   // @override
-  $parseJson(json) {
+  $parseJson(json, { trusted = false } = {}) {
     const { constructor } = this
     for (const key of constructor.dateAttributes) {
       const date = json[key]
@@ -634,7 +634,7 @@ export class Model extends objection.Model {
               if (isArray(data)) {
                 data.forEach(convertToAssetFiles)
               } else {
-                storage.convertAssetFile(data)
+                storage.convertAssetFile(data, { trusted })
               }
             }
           }

package/src/storage/AssetFile.js

@@ -58,6 +58,8 @@ export class AssetFile {
   }
 
   static convert(object, storage) {
+    // Signature must never be persisted.
+    delete object.signature
     Object.setPrototypeOf(object, AssetFile.prototype)
     setHiddenProperty(object, SYMBOL_STORAGE, storage)
   }

package/src/storage/Storage.js

@@ -1,11 +1,14 @@
 import path from 'path'
 import { URL } from 'url'
+import crypto from 'crypto'
 import multer from '@koa/multer'
 import picomatch from 'picomatch'
 import { PassThrough } from 'stream'
 import { readMediaAttributes } from 'leather'
 import { hyphenate, toPromiseCallback } from '@ditojs/utils'
 import { AssetFile } from './AssetFile.js'
+import { AssetError } from '../errors/AssetError.js'
+import { resolveFileUrl } from '../utils/asset.js'
 
 const storageClasses = {}
 
@@ -73,10 +76,24 @@ export class Storage {
   }
 
   isImportSourceAllowed(url) {
-    return picomatch.isMatch(url, this.config.allowedImports || [])
+    return picomatch.isMatch(
+      resolveFileUrl(url),
+      (this.config.allowedImports || []).map(resolveFileUrl)
+    )
   }
 
-  convertAssetFile(file) {
+  convertAssetFile(file, { trusted = false } = {}) {
+    if (!trusted) {
+      if (this.isImportSourceAllowed(file.url)) {
+        this.signAssetFile(file)
+      } else if (!this.verifyAssetFile(file)) {
+        throw new AssetError(
+          `Invalid asset signature for file '${
+            file.name ?? file.key
+          }'`
+        )
+      }
+    }
     AssetFile.convert(file, this)
   }
 
@@ -90,7 +107,8 @@ export class Storage {
       url: this._getFileUrl(storageFile),
       // In case `config.readDimensions` is set:
       width: storageFile.width,
-      height: storageFile.height
+      height: storageFile.height,
+      signature: this._signAssetKey(storageFile.key)
     }
   }
 
@@ -104,7 +122,7 @@ export class Storage {
     file.url = this._getFileUrl(file)
     // TODO: Support `config.readDimensions`, but this can only be done once
     // there are separate storage instances per model assets config!
-    this.convertAssetFile(file)
+    this.convertAssetFile(file, { trusted: true })
     return file
   }
 
@@ -128,6 +146,34 @@ export class Storage {
     return this._getFileUrl(file)
   }
 
+  signAssetFile(file) {
+    file.signature = this._signAssetKey(file.key)
+  }
+
+  verifyAssetFile(file) {
+    if (file) {
+      const expected = this._signAssetKey(file.key)
+      try {
+        return crypto.timingSafeEqual(
+          Buffer.from(expected, 'hex'),
+          Buffer.from(file.signature, 'hex')
+        )
+      } catch {}
+    }
+    return false
+  }
+
+  _signAssetKey(key) {
+    const secret = (
+      this.app.keys?.[0] ??
+      (Storage._fallbackSecret ??= crypto.randomBytes(32))
+    )
+    return crypto
+      .createHmac('sha256', secret)
+      .update(key)
+      .digest('hex')
+  }
+
   _getUrl(...parts) {
     return this.url
       ? new URL(path.posix.join(...parts), this.url).toString()

package/src/storage/Storage.test.js

@@ -0,0 +1,58 @@
+import { Storage } from './Storage.js'
+
+function createStorage(keys = ['test-secret']) {
+  const app = { keys }
+  return new Storage(app, { name: 'test' })
+}
+
+function simulateUpload(storage, key, originalname) {
+  return storage.convertStorageFile({
+    key,
+    originalname,
+    mimetype: 'image/png',
+    size: 2048
+  })
+}
+
+describe('Storage: asset key signature verification', () => {
+  it('preserves the key through a full upload-then-save cycle', () => {
+    const storage = createStorage()
+    const uploaded = simulateUpload(storage, 'real-key.png', 'photo.png')
+    const fromClient = { ...uploaded }
+    storage.convertAssetFile(fromClient, { trusted: false })
+    expect(fromClient.key).toBe('real-key.png')
+  })
+
+  it('throws when a forged key is submitted', () => {
+    const storage = createStorage()
+    const file = { key: 'victim-key.png', name: 'photo.png' }
+    expect(() => {
+      storage.convertAssetFile(file, { trusted: false })
+    }).toThrow('Invalid asset signature')
+  })
+
+  it('throws when a valid signature is paired with a swapped key', () => {
+    const storage = createStorage()
+    const uploaded = simulateUpload(storage, 'legit.png', 'legit.png')
+    const forged = { ...uploaded, key: 'victim-file.png' }
+    expect(() => {
+      storage.convertAssetFile(forged, { trusted: false })
+    }).toThrow('Invalid asset signature')
+  })
+
+  it('does not throw when addFile() converts a server-created file', async () => {
+    const storage = createStorage()
+    const file = { key: 'imported.png', name: 'import.png' }
+    const data = Buffer.from('fake-image-data')
+    await storage.addFile(file, data)
+    expect(file.key).toBe('imported.png')
+  })
+
+  it('strips signature after conversion', () => {
+    const storage = createStorage()
+    const uploaded = simulateUpload(storage, 'upload.png', 'photo.png')
+    const fromClient = { ...uploaded }
+    storage.convertAssetFile(fromClient, { trusted: false })
+    expect('signature' in fromClient).toBe(false)
+  })
+})

package/src/utils/asset.js

@@ -0,0 +1,7 @@
+import path from 'path'
+
+export function resolveFileUrl(url) {
+  return url.startsWith('file://')
+    ? `file://${path.resolve(url.slice(7))}`
+    : url
+}