npm - @mermaid-js/mermaid-cli - Versions diffs - 11.14.0 → 11.16.0 - Mend

@mermaid-js/mermaid-cli 11.14.0 → 11.16.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (77) hide show

package/src/puppeteerIntercept.js CHANGED Viewed

@@ -2,9 +2,33 @@
  * @import puppeteer from 'puppeteer';
  */
-import { readFile, realpath } from 'node:fs/promises'
-import path from 'node:path'
-import url from 'node:url'
+import { readFile, realpath } from "node:fs/promises";
+import path from "node:path";
+import url from "node:url";
+import { DEFAULT_INTERCEPT_RESOLUTION_PRIORITY } from "puppeteer";
+/**
+ * Guesses the MIME-type of a file based on its extension.
+ *
+ * I've hardcoded the bare minimum number of MIME-types to support for security reasons.
+ *
+ * @param {string} filePath - The file path to guess the MIME-type for.
+ */
+function getContentTypeFromFileExtension(filePath) {
+  const ext = path.extname(filePath).toLowerCase();
+  switch (ext) {
+    case ".css":
+      // Make sure to set UTF-8, since sometimes Puppeteer can parse it as Latin-1.
+      return "text/css;charset=UTF-8";
+    case ".js":
+    case ".mjs":
+      return "application/javascript";
+    case ".woff2":
+      return "font/woff2";
+    default:
+      throw new Error(`Unsupported file extension for intercept: ${ext}`);
+  }
+}
 /**
  * Puppeteer doesn't allow importing ESM modules from `file://` URLs.
@@ -13,79 +37,102 @@ import url from 'node:url'
  * instead intercepts dummy `https://mermaid-cli-intercept.invalid` requests.
  */
 export class Interceptor {
-  #INTERCEPT_ORIGIN = 'https://mermaid-cli-intercept.invalid'
+  #INTERCEPT_ORIGIN = "https://mermaid-cli-intercept.invalid";
   /**
-     * Set of allowed file directories that can be intercepted.
-     *
-     * This is used to prevent arbitrary file access through the intercept mechanism.
-     *
-     * Make sure to use `realpath` to resolve any symlinks.
-     *
-     * @type {Set<string>}
-     */
-  #allowedDirs = new Set()
+   * Set of allowed file directories that can be intercepted.
+   *
+   * This is used to prevent arbitrary file access through the intercept mechanism.
+   *
+   * Make sure to use `realpath` to resolve any symlinks.
+   *
+   * @type {Set<string>}
+   */
+  #allowedDirs = new Set();
   /**
-     * @param {URL | `file://${string}`} fileUrl - File URL
-     */
-  async fileUrlToInterceptUrl (fileUrl) {
-    fileUrl = new URL(fileUrl)
-    if (fileUrl.protocol !== 'file:') {
-      throw new Error(`Invalid file URL: ${fileUrl}`)
+   * @param {URL | `file://${string}`} fileUrl - File URL
+   * @param {Object} [options] - Optional options.
+   * @param {number} [options.allowParentDirectoryLevel] - Number of parent directory levels to allow access to.
+   */
+  async fileUrlToInterceptUrl(fileUrl, { allowParentDirectoryLevel = 1 } = {}) {
+    fileUrl = new URL(fileUrl);
+    if (fileUrl.protocol !== "file:") {
+      throw new Error(`Invalid file URL: ${fileUrl}`);
+    }
+    let parentDirectory = await realpath(url.fileURLToPath(fileUrl));
+    while (allowParentDirectoryLevel-- >= 0) {
+      parentDirectory = path.dirname(parentDirectory);
     }
-    this.#allowedDirs.add(path.dirname(await realpath(url.fileURLToPath(fileUrl))))
-    return `${this.#INTERCEPT_ORIGIN}${fileUrl.pathname}`
+    this.#allowedDirs.add(parentDirectory);
+    return `${this.#INTERCEPT_ORIGIN}${fileUrl.pathname}`;
   }
   /**
-     *
-     * @param {URL | string} interceptUrl
-     * @throws {Error} If the URL is not a valid intercept URL
-     */
-  async interceptUrlToFileUrl (interceptUrl) {
-    interceptUrl = new URL(interceptUrl)
+   *
+   * @param {URL | string} interceptUrl
+   * @throws {Error} If the URL is not a valid intercept URL
+   */
+  async interceptUrlToFileUrl(interceptUrl) {
+    interceptUrl = new URL(interceptUrl);
     if (interceptUrl.origin !== this.#INTERCEPT_ORIGIN) {
-      throw new Error(`Invalid intercept URL: ${interceptUrl}`)
+      throw new Error(`Invalid intercept URL: ${interceptUrl}`);
     }
-    const fileUrl = new URL(interceptUrl.href.slice(this.#INTERCEPT_ORIGIN.length), 'file://')
-    const filePath = await realpath(url.fileURLToPath(fileUrl))
-    if (![...this.#allowedDirs].some(dir => path.relative(filePath, dir).startsWith('..'))) {
-      throw new Error(`Intercept URL is not in an allowed directory: ${interceptUrl}`)
+    const fileUrl = new URL(
+      interceptUrl.href.slice(this.#INTERCEPT_ORIGIN.length),
+      "file://",
+    );
+    const filePath = await realpath(url.fileURLToPath(fileUrl));
+    if (
+      ![...this.#allowedDirs].some((dir) =>
+        path.relative(filePath, dir).startsWith(".."),
+      )
+    ) {
+      throw new Error(
+        `Intercept URL is not in an allowed directory: ${interceptUrl}`,
+      );
     }
-    return fileUrl
+    return fileUrl;
   }
   /**
-     * @param {puppeteer.HTTPRequest} request - The intercepted request
-     */
-  async #interceptRequestHandler (request) {
+   * @param {import('puppeteer').HTTPRequest} request - The intercepted request
+   */
+  async #interceptRequestHandler(request) {
     try {
       if (request.url().startsWith(this.#INTERCEPT_ORIGIN)) {
-        const fileUrl = await this.interceptUrlToFileUrl(request.url())
-        return request.respond({
-          status: 200,
-          headers: {
-            'Access-Control-Allow-Origin': '*'
+        const fileUrl = await this.interceptUrlToFileUrl(request.url());
+        return request.respond(
+          {
+            status: 200,
+            headers: {
+              "Access-Control-Allow-Origin": "*",
+            },
+            contentType: getContentTypeFromFileExtension(
+              url.fileURLToPath(fileUrl),
+            ),
+            body: await readFile(fileUrl),
           },
-          contentType: 'application/javascript',
-          body: await readFile(fileUrl)
-        })
+          DEFAULT_INTERCEPT_RESOLUTION_PRIORITY,
+        );
       }
     } catch (error) {
-      console.error(`Error handling intercept request for ${request.url()}:`, error)
-      request.abort()
+      console.error(
+        `Error handling intercept request for ${request.url()}:`,
+        error,
+      );
+      return request.abort(undefined, DEFAULT_INTERCEPT_RESOLUTION_PRIORITY);
     }
-    request.continue()
+    request.continue(undefined, DEFAULT_INTERCEPT_RESOLUTION_PRIORITY);
   }
   /**
-     * Intercepts requests to `https://mermaid-cli-intercept.invalid`
-     * and serves the corresponding file content.
-     *
-     * @return {puppeteer.Handler<puppeteer.HTTPRequest>}
-     */
-  get interceptRequestHandler () {
-    return this.#interceptRequestHandler.bind(this)
+   * Intercepts requests to `https://mermaid-cli-intercept.invalid`
+   * and serves the corresponding file content.
+   *
+   * @return {import('puppeteer').Handler<import('puppeteer').HTTPRequest>}
+   */
+  get interceptRequestHandler() {
+    return this.#interceptRequestHandler.bind(this);
   }
 }