@raystack/chronicle 0.11.1 → 0.11.2

package/dist/cli/index.js

@@ -72,17 +72,18 @@ var init_image_utils = () => {};
 import path4 from "node:path";
 import { visit } from "unist-util-visit";
 function resolveUrl(src, dir) {
-  if (/^[a-z][a-z0-9+\-.]*:/i.test(src))
-    return src;
-  if (src.startsWith("//"))
-    return src;
-  if (src.startsWith("#"))
-    return src;
-  if (src.startsWith("/_content/"))
-    return src;
-  if (src.startsWith("/"))
-    return `/_content${src}`;
-  return `/_content/${path4.posix.normalize(path4.posix.join(dir, src))}`;
+  const normalized = src.replace(/\\/g, "/");
+  if (/^[a-z][a-z0-9+\-.]*:/i.test(normalized))
+    return normalized;
+  if (normalized.startsWith("//"))
+    return normalized;
+  if (normalized.startsWith("#"))
+    return normalized;
+  if (normalized.startsWith("/_content/"))
+    return normalized;
+  if (normalized.startsWith("/"))
+    return `/_content${normalized}`;
+  return `/_content/${path4.posix.normalize(path4.posix.join(dir, normalized))}`;
 }
 function optimizeUrl(url, optimize) {
   if (optimize && isLocalImage(url) && !isSvg(url))

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@raystack/chronicle",
-  "version": "0.11.1",
+  "version": "0.11.2",
   "description": "Config-driven documentation framework",
   "license": "Apache-2.0",
   "type": "module",

package/src/lib/image-utils.test.ts

@@ -53,6 +53,14 @@ describe('buildOptimizedUrl', () => {
   });
 });
 
+describe('buildOptimizedUrl with backslashes', () => {
+  test('backslashes in input are not double-encoded', () => {
+    const url = buildOptimizedUrl('/_content/docs/imgs\\screenshot.png', 640);
+    expect(url).toContain('imgs%5Cscreenshot.png');
+    expect(url).not.toContain('%255C');
+  });
+});
+
 describe('constants', () => {
   test('ALLOWED_WIDTHS is sorted ascending', () => {
     for (let i = 1; i < ALLOWED_WIDTHS.length; i++) {

package/src/lib/remark-resolve-images.ts

@@ -8,13 +8,14 @@ import { MdxNodeType } from './mdx-utils'
 import { isLocalImage, isSvg, buildOptimizedUrl, DEFAULT_WIDTH } from './image-utils'
 
 function resolveUrl(src: string, dir: string): string {
-  if (/^[a-z][a-z0-9+\-.]*:/i.test(src)) return src
-  if (src.startsWith('//')) return src
-  if (src.startsWith('#')) return src
-  if (src.startsWith('/_content/')) return src
+  const normalized = src.replace(/\\/g, '/')
+  if (/^[a-z][a-z0-9+\-.]*:/i.test(normalized)) return normalized
+  if (normalized.startsWith('//')) return normalized
+  if (normalized.startsWith('#')) return normalized
+  if (normalized.startsWith('/_content/')) return normalized
 
-  if (src.startsWith('/')) return `/_content${src}`
-  return `/_content/${path.posix.normalize(path.posix.join(dir, src))}`
+  if (normalized.startsWith('/')) return `/_content${normalized}`
+  return `/_content/${path.posix.normalize(path.posix.join(dir, normalized))}`
 }
 
 interface RemarkResolveImagesOptions {

package/src/server/api/image.ts

@@ -52,14 +52,16 @@ async function evictIfNeeded(storage: ReturnType<typeof useStorage>) {
 export default defineHandler(async event => {
   const storage = useStorage(STORAGE_KEY)
 
-  const url = event.url.searchParams.get('url')
+  const rawUrl = event.url.searchParams.get('url')
   const wParam = event.url.searchParams.get('w')
   const qParam = event.url.searchParams.get('q')
 
-  if (!url || !wParam) {
+  if (!rawUrl || !wParam) {
     throw new HTTPError({ status: StatusCodes.BAD_REQUEST, message: 'Missing url or w parameter' })
   }
 
+  const url = rawUrl.replace(/\\/g, '/')
+
   if (!url.startsWith('/_content/')) {
     throw new HTTPError({ status: StatusCodes.BAD_REQUEST, message: 'Only local content images allowed' })
   }

package/src/server/entry-server.tsx

@@ -14,6 +14,7 @@ import { getFirstApiUrl } from '@/lib/api-routes';
 import { StatusCodes } from 'http-status-codes';
 import { resolveDocsRedirect } from '@/lib/tree-utils';
 import { isLocalImage, isSvg, buildOptimizedUrl, DEFAULT_WIDTH } from '@/lib/image-utils';
+import { QueryClientProvider, QueryClient } from '@tanstack/react-query';
 import { useNitroApp } from 'nitro/app';
 import { App } from './App';
 
@@ -136,20 +137,22 @@ export default {
         </head>
         <body>
           <div id="root">
-            <StaticRouter location={pathname}>
-              <ReactRouterProvider>
-                <PageProvider
-                  initialConfig={config}
-                  initialTree={tree}
-                  initialPage={pageData}
-                  initialApiSpecs={apiSpecs}
-                  initialVersion={route.version}
-                  loadMdx={async () => ({ content: null, toc: [] })}
-                >
-                  <App />
-                </PageProvider>
-              </ReactRouterProvider>
-            </StaticRouter>
+            <QueryClientProvider client={new QueryClient()}>
+              <StaticRouter location={pathname}>
+                <ReactRouterProvider>
+                  <PageProvider
+                    initialConfig={config}
+                    initialTree={tree}
+                    initialPage={pageData}
+                    initialApiSpecs={apiSpecs}
+                    initialVersion={route.version}
+                    loadMdx={async () => ({ content: null, toc: [] })}
+                  >
+                    <App />
+                  </PageProvider>
+                </ReactRouterProvider>
+              </StaticRouter>
+            </QueryClientProvider>
           </div>
         </body>
       </html>,

package/src/server/utils/safe-path.test.ts

@@ -0,0 +1,34 @@
+import { describe, expect, test } from 'bun:test';
+import path from 'node:path';
+import { safePath } from '@/server/utils/safe-path';
+
+describe('safePath', () => {
+  const base = '/app/content';
+
+  test('resolves valid path within base', () => {
+    expect(safePath(base, '/docs/intro.mdx')).toBe(path.resolve(base, 'docs/intro.mdx'));
+  });
+
+  test('returns null for path traversal', () => {
+    expect(safePath(base, '/../etc/passwd')).toBeNull();
+  });
+
+  test('normalizes backslashes to forward slashes', () => {
+    const result = safePath(base, '/docs\\imgs\\screenshot.png');
+    expect(result).toBe(path.resolve(base, 'docs/imgs/screenshot.png'));
+  });
+
+  test('decodes URI-encoded characters', () => {
+    const result = safePath(base, '/docs/my%20image.png');
+    expect(result).toBe(path.resolve(base, 'docs/my image.png'));
+  });
+
+  test('strips query string before resolving', () => {
+    const result = safePath(base, '/docs/img.png?v=1');
+    expect(result).toBe(path.resolve(base, 'docs/img.png'));
+  });
+
+  test('returns null for malformed percent-encoding', () => {
+    expect(safePath(base, '/docs/%E0%A4%')).toBeNull();
+  });
+});

package/src/server/utils/safe-path.ts

@@ -5,7 +5,12 @@ import path from 'node:path';
  * Returns null if the resolved path escapes the base directory.
  */
 export function safePath(baseDir: string, urlPath: string): string | null {
-  const decoded = decodeURIComponent(urlPath.split('?')[0]);
+  let decoded: string;
+  try {
+    decoded = decodeURIComponent(urlPath.split('?')[0]).replace(/\\/g, '/');
+  } catch {
+    return null;
+  }
   const resolved = path.resolve(baseDir, '.' + decoded);
   if (
     !resolved.startsWith(path.resolve(baseDir) + path.sep) &&

package/src/themes/default/Page.tsx

@@ -12,7 +12,7 @@ export function Page({ page }: ThemePageProps) {
     <Flex className={styles.page}>
       <article className={styles.article} data-article-content>
         {page.frontmatter.title && (
-          <Headline size="t2" render={<h1 />} className={styles.title}>
+          <Headline size="t4" render={<h1 />} className={styles.title}>
             {page.frontmatter.title}
           </Headline>
         )}

package/src/themes/paper/Page.module.css

@@ -94,9 +94,9 @@
 
 .articleTitle {
   font-family: var(--paper-font-body);
-  font-size: var(--rs-space-8);
+  font-size: var(--rs-font-size-t4);
   font-weight: var(--rs-font-weight-medium);
-  line-height: var(--rs-space-10);
+  line-height: var(--rs-line-height-t4);
   letter-spacing: var(--rs-letter-spacing-t1);
   text-align: center;
   color: var(--rs-color-foreground-base-primary);