npm - @normed/bundle - Versions diffs - 4.8.3 → 4.8.6 - Mend

@normed/bundle 4.8.3 → 4.8.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md +8 -0
package/bundles/bin/cli.js +128 -42
package/bundles/bin/cli.js.map +3 -3
package/bundles/esbuild-plugins/load_pug.d.ts +11 -0
package/bundles/index.js +128 -42
package/bundles/index.js.map +3 -3
package/package.json +1 -1

package/bundles/esbuild-plugins/load_pug.d.ts CHANGED Viewed

@@ -1,4 +1,15 @@
 import type * as esbuild from "esbuild";
+export declare function getLinkingAttrs(elementName: string): string[] | undefined;
+export declare function findPackageRoot(filePath: string): string | null;
+/**
+ * Resolve an asset path from a pug file, treating "/" as srcWebRoot (not filesystem root).
+ */
+export declare function resolveAssetPath(assetPath: string, pugDir: string, srcWebRoot: string): string;
+/**
+ * Assert that an absolute path is within one of the allowed source roots.
+ * Throws if the path escapes all allowed roots.
+ */
+export declare function assertWithinAllowedRoots(absolutePath: string, allowedRoots: string[], originalValue: string, pugFilePath: string): void;
 /**
  * Discovered pug file reference from HTML.
  */

package/bundles/index.js CHANGED Viewed

@@ -68797,19 +68797,17 @@ function computeContentHash(content) {
   const num = hash.readUInt32BE(0);
   return num.toString(36).toUpperCase().padStart(8, "0").slice(0, 8);
 }
-var ASSET_ATTRIBUTES = {
-  img: ["src", "srcset"],
-  video: ["src", "poster"],
-  audio: ["src"],
-  source: ["src", "srcset"],
-  link: ["href"],
-  script: ["src"],
+var UNIVERSAL_LINKING_ATTRS = ["src", "srcset", "href"];
+var ELEMENT_SPECIFIC_LINKING_ATTRS = {
+  form: ["action"],
   object: ["data"],
-  embed: ["src"],
-  track: ["src"],
-  input: ["src"]
-  // for type="image"
+  video: ["poster"]
 };
+function getLinkingAttrs(elementName) {
+  if (!elementName) return void 0;
+  const extra = ELEMENT_SPECIFIC_LINKING_ATTRS[elementName];
+  return extra ? [...UNIVERSAL_LINKING_ATTRS, ...extra] : UNIVERSAL_LINKING_ATTRS;
+}
 function isRelativeAssetPath(assetPath) {
   if (!assetPath) return false;
   if (assetPath.startsWith("#")) return false;
@@ -68878,6 +68876,42 @@ function resolvePackagePath(packageSpecifier, fromFile) {
     return null;
   }
 }
+var packageRootCache = /* @__PURE__ */ new Map();
+function findPackageRoot(filePath) {
+  let dir = path5.dirname(path5.resolve(filePath));
+  const cacheKey = dir;
+  if (packageRootCache.has(cacheKey)) return packageRootCache.get(cacheKey);
+  while (true) {
+    if (fs6.existsSync(path5.join(dir, "package.json"))) {
+      packageRootCache.set(cacheKey, dir);
+      return dir;
+    }
+    const parent = path5.dirname(dir);
+    if (parent === dir) {
+      packageRootCache.set(cacheKey, null);
+      return null;
+    }
+    dir = parent;
+  }
+}
+function resolveAssetPath(assetPath, pugDir, srcWebRoot) {
+  if (assetPath.startsWith("/")) {
+    return path5.resolve(srcWebRoot, assetPath.slice(1));
+  }
+  return path5.resolve(pugDir, assetPath);
+}
+function assertWithinAllowedRoots(absolutePath, allowedRoots, originalValue, pugFilePath) {
+  const normalizedPath = path5.resolve(absolutePath);
+  const withinARoot = allowedRoots.some((root) => {
+    const normalizedRoot = path5.resolve(root);
+    return normalizedPath === normalizedRoot || normalizedPath.startsWith(normalizedRoot + path5.sep);
+  });
+  if (!withinARoot) {
+    throw new Error(
+      `Security: asset path "${originalValue}" resolves to "${normalizedPath}" which is outside the allowed source directories [${allowedRoots.join(", ")}]. Referenced in ${pugFilePath}. Use the copy: or build: prefix to resolve via Node module resolution.`
+    );
+  }
+}
 var discoveredPugReferences = /* @__PURE__ */ new Map();
 var discoveredLessReferences = /* @__PURE__ */ new Map();
 var discoveredScriptReferences = /* @__PURE__ */ new Map();
@@ -68912,7 +68946,7 @@ function computeHtmlAssetPath(opts) {
   }
   return path5.relative(opts.htmlOutputDir, opts.absoluteOutput);
 }
-async function processHtmlAssets(html, pugFilePath, options, webRoot) {
+async function processHtmlAssets(html, pugFilePath, options, webRoot, collectedReferences = []) {
   const assets = [];
   const pugReferences = [];
   const lessReferences = [];
@@ -68923,30 +68957,24 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
   const outbase = options.outbase || path5.dirname(pugFilePath);
   const pugDir = path5.dirname(pugFilePath);
   const publicPath = options.publicPath || "";
-  const processedAssets = /* @__PURE__ */ new Map();
-  const allAttrs = [...new Set(Object.values(ASSET_ATTRIBUTES).flat())].join(
-    "|"
+  const srcWebRoot = webRoot ? path5.join(outbase, webRoot) : outbase;
+  const normalizedOutbase = path5.resolve(outbase);
+  const normalizedPug = path5.resolve(pugFilePath);
+  const pugWithinOutbase = normalizedPug === normalizedOutbase || normalizedPug.startsWith(normalizedOutbase + path5.sep);
+  const packageRoot = pugWithinOutbase ? null : findPackageRoot(pugFilePath);
+  const allowedRoots = [outbase, packageRoot].filter(
+    (r) => r != null
   );
-  const attrRegex = new RegExp(`(${allAttrs})\\s*=\\s*["']([^"']+)["']`, "gi");
+  const processedAssets = /* @__PURE__ */ new Map();
   let modifiedHtml = html;
-  const matches = [];
-  let match;
-  while ((match = attrRegex.exec(html)) !== null) {
-    const attr = match[1];
-    const value = match[2];
-    if (attr && value) {
-      matches.push({
-        fullMatch: match[0],
-        attr: attr.toLowerCase(),
-        value
-      });
-    }
-  }
+  const matches = collectedReferences.map(
+    (ref) => ({ attr: ref.attr, value: ref.value })
+  );
   const discoveredPugPaths = /* @__PURE__ */ new Set();
   const discoveredLessPaths = /* @__PURE__ */ new Set();
   const discoveredScriptPaths = /* @__PURE__ */ new Set();
   const discoveredPackageCssPaths = /* @__PURE__ */ new Set();
-  for (const { fullMatch, attr, value } of matches) {
+  for (const { attr, value } of matches) {
     let newValue = value;
     if (attr === "srcset") {
       const srcsetParts = value.split(",");
@@ -68959,7 +68987,13 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
             [getVerbatimPath(assetPath), ...descriptors].filter(Boolean).join(" ")
           );
         } else if (assetPath && isPugReference(assetPath)) {
-          const absolutePath = path5.resolve(pugDir, assetPath);
+          const absolutePath = resolveAssetPath(assetPath, pugDir, srcWebRoot);
+          assertWithinAllowedRoots(
+            absolutePath,
+            allowedRoots,
+            assetPath,
+            pugFilePath
+          );
           if (!discoveredPugPaths.has(absolutePath)) {
             discoveredPugPaths.add(absolutePath);
             pugReferences.push({ originalHref: assetPath, absolutePath });
@@ -68976,6 +69010,8 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
             publicPath,
             assets,
             processedAssets,
+            srcWebRoot,
+            allowedRoots,
             webRoot
           );
           if (hashedPath) {
@@ -68993,19 +69029,22 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
     } else if (isVerbatimReference(value)) {
       newValue = getVerbatimPath(value);
     } else if (isPugReference(value)) {
-      const absolutePath = path5.resolve(pugDir, value);
+      const absolutePath = resolveAssetPath(value, pugDir, srcWebRoot);
+      assertWithinAllowedRoots(absolutePath, allowedRoots, value, pugFilePath);
       if (!discoveredPugPaths.has(absolutePath)) {
         discoveredPugPaths.add(absolutePath);
         pugReferences.push({ originalHref: value, absolutePath });
       }
     } else if (isLessReference(value)) {
-      const absolutePath = path5.resolve(pugDir, value);
+      const absolutePath = resolveAssetPath(value, pugDir, srcWebRoot);
+      assertWithinAllowedRoots(absolutePath, allowedRoots, value, pugFilePath);
       if (!discoveredLessPaths.has(absolutePath)) {
         discoveredLessPaths.add(absolutePath);
         lessReferences.push({ originalHref: value, absolutePath });
       }
     } else if (isScriptReference(value)) {
-      const absolutePath = path5.resolve(pugDir, value);
+      const absolutePath = resolveAssetPath(value, pugDir, srcWebRoot);
+      assertWithinAllowedRoots(absolutePath, allowedRoots, value, pugFilePath);
       if (!discoveredScriptPaths.has(absolutePath)) {
         discoveredScriptPaths.add(absolutePath);
         scriptReferences.push({ originalHref: value, absolutePath });
@@ -69137,6 +69176,8 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
         publicPath,
         assets,
         processedAssets,
+        srcWebRoot,
+        allowedRoots,
         webRoot
       );
       if (hashedPath) {
@@ -69144,8 +69185,9 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
       }
     }
     if (newValue !== value) {
-      const newFullMatch = fullMatch.replace(value, newValue);
-      modifiedHtml = modifiedHtml.replace(fullMatch, newFullMatch);
+      const escapedValue = value.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+      const valueRegex = new RegExp(`(["'])${escapedValue}\\1`);
+      modifiedHtml = modifiedHtml.replace(valueRegex, `$1${newValue}$1`);
     }
   }
   return {
@@ -69157,8 +69199,14 @@ async function processHtmlAssets(html, pugFilePath, options, webRoot) {
     packageCssReferences
   };
 }
-async function processAsset(assetPath, pugDir, pugFilePath, outdir, outbase, assetNames, publicPath, assets, processedAssets, webRoot) {
-  const absoluteSource = path5.resolve(pugDir, assetPath);
+async function processAsset(assetPath, pugDir, pugFilePath, outdir, outbase, assetNames, publicPath, assets, processedAssets, srcWebRoot, allowedRoots, webRoot) {
+  const absoluteSource = resolveAssetPath(assetPath, pugDir, srcWebRoot);
+  assertWithinAllowedRoots(
+    absoluteSource,
+    allowedRoots,
+    assetPath,
+    pugFilePath
+  );
   if (processedAssets.has(absoluteSource)) {
     return processedAssets.get(absoluteSource);
   }
@@ -69312,11 +69360,11 @@ function createRebaseAssetsPlugin(entryFilePath) {
         if (node.nodes) {
           pending.push(...node.nodes);
         }
-        const assetAttrs = ASSET_ATTRIBUTES[node.name];
-        if (!assetAttrs) continue;
+        const linkingAttrs = getLinkingAttrs(node.name);
+        if (!linkingAttrs) continue;
         if (!node.attrs) continue;
         for (const attr of node.attrs) {
-          if (!assetAttrs.includes(attr.name)) continue;
+          if (!linkingAttrs.includes(attr.name)) continue;
           const sourceFile = attr.filename || node.filename;
           if (!sourceFile) continue;
           const sourceDir = path5.dirname(sourceFile);
@@ -69353,6 +69401,36 @@ function createRebaseAssetsPlugin(entryFilePath) {
     }
   };
 }
+function createAssetCollectorPlugin(collectedReferences) {
+  return {
+    preCodeGen(ast) {
+      const pending = [...ast?.nodes || []];
+      while (pending.length > 0) {
+        const node = pending.shift();
+        if (!node) continue;
+        if (node.block?.nodes) {
+          pending.push(...node.block.nodes);
+        }
+        if (node.nodes) {
+          pending.push(...node.nodes);
+        }
+        const linkingAttrs = getLinkingAttrs(node.name);
+        if (!linkingAttrs) continue;
+        if (!node.attrs) continue;
+        for (const attr of node.attrs) {
+          if (!linkingAttrs.includes(attr.name)) continue;
+          const extracted = extractStaticString(attr.val);
+          if (!extracted) continue;
+          collectedReferences.push({
+            attr: attr.name,
+            value: extracted.value
+          });
+        }
+      }
+      return ast;
+    }
+  };
+}
 async function loadAsText2(_filepath) {
   return {
     loader: "text"
@@ -69394,12 +69472,14 @@ async function loadAsHtml(filepath, options) {
 }
 async function loadAsEntrypoint(filepath, options, webRoot) {
   const fileData = await fs6.promises.readFile(filepath, "utf8");
+  const collectedReferences = [];
   let contents = import_pug.default.render(fileData, {
     filename: filepath,
     basedir: options.outbase,
     name: "render",
     plugins: [
       createRebaseAssetsPlugin(filepath),
+      createAssetCollectorPlugin(collectedReferences),
       pugTransformer(isScriptNodeWithSrcAttr, (nodes) => {
         nodes;
       })
@@ -69413,7 +69493,13 @@ async function loadAsEntrypoint(filepath, options, webRoot) {
     lessReferences,
     scriptReferences,
     packageCssReferences
-  } = await processHtmlAssets(contents, filepath, options, webRoot);
+  } = await processHtmlAssets(
+    contents,
+    filepath,
+    options,
+    webRoot,
+    collectedReferences
+  );
   contents = processedHtml;
   if (pugReferences.length > 0) {
     discoveredPugReferences.set(filepath, pugReferences);