@mintlify/common 1.0.658 → 1.0.660

package/dist/asyncapi/checkForExternalRefs.d.ts

@@ -0,0 +1,11 @@
+export declare class ExternalRefError extends Error {
+    readonly refs: Array<{
+        path: string;
+        value: string;
+    }>;
+    constructor(message: string, refs: Array<{
+        path: string;
+        value: string;
+    }>);
+}
+export declare function checkForExternalRefs(input: unknown): void;

package/dist/asyncapi/checkForExternalRefs.js

@@ -0,0 +1,67 @@
+import yaml from 'js-yaml';
+export class ExternalRefError extends Error {
+    constructor(message, refs) {
+        super(message);
+        this.refs = refs;
+        this.name = 'ExternalRefError';
+    }
+}
+function tryParse(value) {
+    try {
+        return JSON.parse(value);
+    }
+    catch (_a) {
+        try {
+            const result = yaml.load(value);
+            return typeof result === 'object' ? result : null;
+        }
+        catch (_b) {
+            return null;
+        }
+    }
+}
+function validateParseable(input) {
+    try {
+        JSON.parse(input);
+    }
+    catch (_a) {
+        yaml.load(input);
+    }
+}
+function findExternalRefs(input, path = '', refs = [], visited = new WeakSet()) {
+    if (typeof input === 'string') {
+        const parsed = tryParse(input);
+        if (parsed)
+            findExternalRefs(parsed, path, refs, visited);
+        return refs;
+    }
+    if (!input || typeof input !== 'object' || visited.has(input))
+        return refs;
+    visited.add(input);
+    if (Array.isArray(input)) {
+        input.forEach((item, i) => findExternalRefs(item, `${path}[${i}]`, refs, visited));
+    }
+    else {
+        for (const [key, value] of Object.entries(input)) {
+            const newPath = path ? `${path}.${key}` : key;
+            if (key === '$ref' && typeof value === 'string' && !value.startsWith('#')) {
+                refs.push({ path: newPath, value });
+            }
+            else {
+                findExternalRefs(value, newPath, refs, visited);
+            }
+        }
+    }
+    return refs;
+}
+export function checkForExternalRefs(input) {
+    if (input == null || (typeof input !== 'string' && typeof input !== 'object'))
+        return;
+    if (typeof input === 'string')
+        validateParseable(input);
+    const refs = findExternalRefs(input);
+    if (refs.length > 0) {
+        const details = refs.map((r) => `  - ${r.path}: ${r.value}`).join('\n');
+        throw new ExternalRefError(`External $ref references are not allowed. Found ${refs.length} external reference(s):\n${details}`, refs);
+    }
+}

package/dist/asyncapi/validateAsyncApi.js

@@ -8,9 +8,12 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 import { Parser } from '@asyncapi/parser';
+import { checkForExternalRefs } from './checkForExternalRefs.js';
 export function validateAsyncApi(str) {
     return __awaiter(this, void 0, void 0, function* () {
         try {
+            // Throws error if external $ref is found
+            checkForExternalRefs(str);
             const parser = new Parser();
             const { document, diagnostics } = yield parser.parse(str);
             if (diagnostics.length > 0) {

package/dist/divisions/generatePathToHiddenDict.d.ts

@@ -0,0 +1,10 @@
+import { DecoratedNavigationConfig } from '@mintlify/validation';
+/**
+ * Generates a map from page paths to their hidden status based on navigation hierarchy.
+ * A page is hidden if:
+ * - It has noindex: true in its frontmatter, OR
+ * - Any parent group/division has hidden: true
+ * Assumes page hrefs in navWithPageContext have a leading / but config page paths do not.
+ * Outputted dictionary will NOT have a leading / in the dictionary keys.
+ */
+export declare function generatePathToHiddenDict(decoratedNav: DecoratedNavigationConfig): Map<string, boolean>;

package/dist/divisions/generatePathToHiddenDict.js

@@ -0,0 +1,53 @@
+import { divisions } from '@mintlify/validation';
+import { isPage } from '../navigation/isPage.js';
+import { optionallyRemoveLeadingSlash } from '../optionallyRemoveLeadingSlash.js';
+/**
+ * Generates a map from page paths to their hidden status based on navigation hierarchy.
+ * A page is hidden if:
+ * - It has noindex: true in its frontmatter, OR
+ * - Any parent group/division has hidden: true
+ * Assumes page hrefs in navWithPageContext have a leading / but config page paths do not.
+ * Outputted dictionary will NOT have a leading / in the dictionary keys.
+ */
+export function generatePathToHiddenDict(decoratedNav) {
+    const pathToHiddenDict = new Map();
+    generatePathToHiddenDictRecursive(pathToHiddenDict, decoratedNav, false);
+    return pathToHiddenDict;
+}
+function generatePathToHiddenDictRecursive(pathToHiddenDict, nav, parentHidden) {
+    if (typeof nav !== 'object')
+        return;
+    // Determine the effective hidden status for this level (from group/tab hidden property)
+    const effectiveHidden = 'hidden' in nav && typeof nav.hidden === 'boolean' ? nav.hidden : parentHidden;
+    if (isPage(nav)) {
+        const key = optionallyRemoveLeadingSlash(nav.href);
+        // A page is hidden if parent has hidden: true OR page has noindex: true in frontmatter
+        const pageNoindex = 'noindex' in nav && nav.noindex === true;
+        const isHidden = effectiveHidden || pageNoindex;
+        // Only add hidden pages to the dictionary (more efficient)
+        // We keep the first value encountered to handle duplicate paths
+        if (isHidden && !pathToHiddenDict.has(key)) {
+            pathToHiddenDict.set(key, true);
+        }
+    }
+    if ('pages' in nav) {
+        if ('root' in nav && typeof nav.root === 'object') {
+            generatePathToHiddenDictRecursive(pathToHiddenDict, nav.root, effectiveHidden);
+        }
+        for (const page of nav.pages) {
+            if (typeof page === 'object') {
+                generatePathToHiddenDictRecursive(pathToHiddenDict, page, effectiveHidden);
+            }
+        }
+    }
+    for (const key of ['groups', ...divisions]) {
+        if (key in nav) {
+            const items = nav[key];
+            if (Array.isArray(items)) {
+                for (const item of items) {
+                    generatePathToHiddenDictRecursive(pathToHiddenDict, item, effectiveHidden);
+                }
+            }
+        }
+    }
+}

package/dist/divisions/index.d.ts

@@ -1,3 +1,4 @@
+export * from './generatePathToHiddenDict.js';
 export * from './generatePathToVersionDict.js';
 export * from './generatePathToVersionDictForDocsConfig.js';
 export * from './generatePathToLanguageDict.js';

package/dist/divisions/index.js

@@ -1,3 +1,4 @@
+export * from './generatePathToHiddenDict.js';
 export * from './generatePathToVersionDict.js';
 export * from './generatePathToVersionDictForDocsConfig.js';
 export * from './generatePathToLanguageDict.js';

package/dist/openapi/validate.js

@@ -8,6 +8,7 @@ var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, ge
     });
 };
 import { validate as scalarValidate } from '@mintlify/openapi-parser';
+import { checkForExternalRefs } from '../asyncapi/checkForExternalRefs.js';
 export const validate = (document) => __awaiter(void 0, void 0, void 0, function* () {
     const result = yield safeValidate(document);
     if ('errorMessage' in result) {
@@ -16,6 +17,14 @@ export const validate = (document) => __awaiter(void 0, void 0, void 0, function
     return result;
 });
 export const safeValidate = (document) => __awaiter(void 0, void 0, void 0, function* () {
+    // Check for external $ref references before parsing to prevent SSRF
+    try {
+        checkForExternalRefs(document);
+    }
+    catch (error) {
+        const errorMessage = error instanceof Error ? error.message : String(error);
+        return { errors: [{ message: errorMessage }], valid: false, errorMessage };
+    }
     const result = yield scalarValidate(document);
     const { errors, schema, valid, version } = result;
     if (version === '2.0')