@saltcorn/server 1.0.0-beta.13 → 1.0.0-beta.14

package/app.js

@@ -447,6 +447,9 @@ Sitemap: ${base}sitemap.xml
   app.get("*", function (req, res) {
     res.status(404).sendWrap(req.__("Not found"), h1(req.__("Page not found")));
   });
+
+  //prevent prototype pollution
+  delete Object.prototype.__proto__;
   return app;
 };
 module.exports = getApp;

package/load_plugins.js

@@ -19,17 +19,46 @@ const {
   resolveLatest,
 } = require("@saltcorn/plugins-loader/stable_versioning");
 
+const isFixedPlugin = (plugin) =>
+  plugin.location === "@saltcorn/sbadmin2" ||
+  plugin.location === "@saltcorn/base-plugin";
+
+/**
+ * return the cached engine infos or fetch them from npm and update the cache
+ * @param plugin plugin to load
+ */
+const getEngineInfos = async (plugin, forceFetch) => {
+  const rootState = getRootState();
+  const cached = rootState.getConfig("engines_cache", {}) || {};
+  if (cached[plugin.location] && !forceFetch) {
+    return cached[plugin.location];
+  } else {
+    getState().log(5, `Fetching versions for '${plugin.location}'`);
+    const pkgInfo = await npmFetch.json(
+      `https://registry.npmjs.org/${plugin.location}`
+    );
+    const versions = pkgInfo.versions;
+    const newCached = {};
+    for (const [k, v] of Object.entries(versions)) {
+      newCached[k] = v.engines?.saltcorn
+        ? { engines: { saltcorn: v.engines.saltcorn } }
+        : {};
+    }
+    cached[plugin.location] = newCached;
+    await rootState.setConfig("engines_cache", { ...cached });
+    return newCached;
+  }
+};
+
 /**
  * checks the saltcorn engine property and changes the plugin version if necessary
  * @param plugin plugin to load
  */
-const ensurePluginSupport = async (plugin) => {
-  const pkgInfo = await npmFetch.json(
-    `https://registry.npmjs.org/${plugin.location}`
-  );
+const ensurePluginSupport = async (plugin, forceFetch) => {
+  const versions = await getEngineInfos(plugin, forceFetch);
   const supported = supportedVersion(
     plugin.version || "latest",
-    pkgInfo.versions,
+    versions,
     packagejson.version
   );
   if (!supported)
@@ -38,8 +67,7 @@ const ensurePluginSupport = async (plugin) => {
     );
   else if (
     supported !== plugin.version ||
-    (plugin.version === "latest" &&
-      supported !== resolveLatest(pkgInfo.versions))
+    (plugin.version === "latest" && supported !== resolveLatest(versions))
   )
     plugin.version = supported;
 };
@@ -50,10 +78,10 @@ const ensurePluginSupport = async (plugin) => {
  * @param plugin - plugin to load
  * @param force - force flag
  */
-const loadPlugin = async (plugin, force) => {
-  if (plugin.source === "npm" && isRoot()) {
+const loadPlugin = async (plugin, force, forceFetch) => {
+  if (plugin.source === "npm" && !isFixedPlugin(plugin)) {
     try {
-      await ensurePluginSupport(plugin);
+      await ensurePluginSupport(plugin, forceFetch);
     } catch (e) {
       console.log(
         `Warning: Unable to find a supported version for '${plugin.location}' Continuing with the installed version`
@@ -279,6 +307,6 @@ module.exports = {
   loadAllPlugins,
   loadPlugin,
   requirePlugin,
-  supportedVersion,
+  getEngineInfos,
   ensurePluginSupport,
 };

package/locales/en.json

@@ -1468,5 +1468,9 @@
 	"Time to run": "Time to run",
 	"Mobile": "Mobile",
 	"Plain password trigger row": "Plain password trigger row",
-	"Send plaintext password changes to Users table triggers (Insert, Update and Validate).": "Send plaintext password changes to Users table triggers (Insert, Update and Validate)."
+	"Send plaintext password changes to Users table triggers (Insert, Update and Validate).": "Send plaintext password changes to Users table triggers (Insert, Update and Validate).",
+	"Minimum user role required to create a new tenant<div class=\"alert alert-danger fst-normal\" role=\"alert\" data-show-if=\"showIfFormulaInputs($('select[name=role_to_create_tenant]'), '+role_to_create_tenant>1')\">Giving non-trusted users access to create tenants is a security risk and not recommended.</div>": "Minimum user role required to create a new tenant<div class=\"alert alert-danger fst-normal\" role=\"alert\" data-show-if=\"showIfFormulaInputs($('select[name=role_to_create_tenant]'), '+role_to_create_tenant>1')\">Giving non-trusted users access to create tenants is a security risk and not recommended.</div>",
+	"Select tag": "Select tag",
+	"Invalid build directory path": "Invalid build directory path",
+	"Invalid build directory name": "Invalid build directory name"
 }

package/package.json

@@ -1,20 +1,20 @@
 {
   "name": "@saltcorn/server",
-  "version": "1.0.0-beta.13",
+  "version": "1.0.0-beta.14",
   "description": "Server app for Saltcorn, open-source no-code platform",
   "homepage": "https://saltcorn.com",
   "main": "index.js",
   "license": "MIT",
   "dependencies": {
     "@aws-sdk/client-s3": "^3.451.0",
-    "@saltcorn/base-plugin": "1.0.0-beta.13",
-    "@saltcorn/builder": "1.0.0-beta.13",
-    "@saltcorn/data": "1.0.0-beta.13",
-    "@saltcorn/admin-models": "1.0.0-beta.13",
-    "@saltcorn/filemanager": "1.0.0-beta.13",
-    "@saltcorn/markup": "1.0.0-beta.13",
-    "@saltcorn/plugins-loader": "1.0.0-beta.13",
-    "@saltcorn/sbadmin2": "1.0.0-beta.13",
+    "@saltcorn/base-plugin": "1.0.0-beta.14",
+    "@saltcorn/builder": "1.0.0-beta.14",
+    "@saltcorn/data": "1.0.0-beta.14",
+    "@saltcorn/admin-models": "1.0.0-beta.14",
+    "@saltcorn/filemanager": "1.0.0-beta.14",
+    "@saltcorn/markup": "1.0.0-beta.14",
+    "@saltcorn/plugins-loader": "1.0.0-beta.14",
+    "@saltcorn/sbadmin2": "1.0.0-beta.14",
     "@socket.io/cluster-adapter": "^0.2.1",
     "@socket.io/sticky": "^1.0.1",
     "adm-zip": "0.5.10",

package/public/saltcorn-common.js

@@ -184,8 +184,21 @@ function apply_showif() {
     var current = e.attr("data-selected") || e.val();
     //console.log({ field: e.attr("name"), target: data[0], val, current });
     e.empty();
+    //TODO clean repetition in following cose
     (options || []).forEach((o) => {
-      if (
+      if (o && o.optgroup) {
+        const opts = o.options
+          .map(
+            (innero) =>
+              `<option ${
+                `${current}` === `${innero.value || innero}` ? "selected " : ""
+              }value="${innero.value || innero}">${
+                innero.label || innero
+              }</option>`
+          )
+          .join("");
+        e.append($(`<optgroup label="${o.label}">` + opts + "</optgroup>"));
+      } else if (
         !(o && typeof o.label !== "undefined" && typeof o.value !== "undefined")
       ) {
         if (`${current}` === `${o}`)

package/routes/actions.js

@@ -57,21 +57,6 @@ const {
   blocklyToolbox,
 } = require("../markup/blockly.js");
 
-/**
- * @returns {Promise<object>}
- */
-const getActions = async () => {
-  return Object.entries(getState().actions).map(([k, v]) => {
-    const hasConfig = !!v.configFields;
-    const requireRow = !!v.requireRow;
-    return {
-      name: k,
-      hasConfig,
-      requireRow,
-    };
-  });
-};
-
 /**
  * Show list of Actions (Triggers) (HTTP GET)
  * @name get
@@ -96,7 +81,7 @@ router.get(
       triggers = triggers.filter((t) => tagged_trigger_ids.has(t.id));
       filterOnTag = await Tag.findOne({ id: +req.query._tag });
     }
-    const actions = await getActions();
+    const actions = Trigger.abbreviated_actions;
     send_events_page({
       res,
       req,
@@ -156,7 +141,7 @@ const triggerForm = async (req, trigger) => {
     value: r.id,
     label: r.role,
   }));
-  const actions = await getActions();
+  const actions = Trigger.abbreviated_actions;
   const tables = await Table.find({});
   let id;
   let form_action;
@@ -168,14 +153,11 @@ const triggerForm = async (req, trigger) => {
   const hasChannel = Object.entries(getState().eventTypes)
     .filter(([k, v]) => v.hasChannel)
     .map(([k, v]) => k);
-  const allActions = actions.map((t) => t.name);
-  allActions.push("Multi-step action");
+
+  const allActions = Trigger.action_options(false);
   const table_triggers = ["Insert", "Update", "Delete", "Validate"];
   const action_options = {};
-  const actionsNotRequiringRow = actions
-    .filter((a) => !a.requireRow)
-    .map((t) => t.name);
-  actionsNotRequiringRow.push("Multi-step action");
+  const actionsNotRequiringRow = Trigger.action_options(true);
 
   Trigger.when_options.forEach((t) => {
     if (table_triggers.includes(t)) action_options[t] = allActions;

package/routes/admin.js

@@ -673,7 +673,10 @@ router.get(
     const backup_file_prefix = getState().getConfig("backup_file_prefix");
     if (
       !isRoot ||
-      !(filename.startsWith(backup_file_prefix) && filename.endsWith(".zip"))
+      !(
+        path.resolve(filename).startsWith(backup_file_prefix) &&
+        filename.endsWith(".zip")
+      )
     ) {
       res.redirect("/admin/backup");
       return;
@@ -1312,6 +1315,23 @@ router.get(
               )
             )
           ),
+          div(
+            { class: "form-group" },
+            input({
+              id: "deep_clean",
+              class: "form-check-input",
+              type: "checkbox",
+              name: "deep_clean",
+              checked: false,
+            }),
+            label(
+              {
+                for: "deep_clean",
+                class: "form-label ms-2",
+              },
+              req.__("clean node_modules")
+            )
+          ),
           div(
             { class: "d-flex justify-content-end" },
             button(
@@ -1343,7 +1363,17 @@ router.get(
   })
 );
 
-const doInstall = async (req, res, version, runPull) => {
+const cleanNodeModules = async () => {
+  const topSaltcornDir = path.join(__dirname, "..", "..", "..", "..", "..");
+  if (path.basename(topSaltcornDir) === "@saltcorn")
+    await fs.promises.rm(topSaltcornDir, { recursive: true, force: true });
+  else
+    throw new Error(
+      `'${topSaltcornDir}' is not a Saltcorn installation directory`
+    );
+};
+
+const doInstall = async (req, res, version, deepClean, runPull) => {
   if (db.getTenantSchema() !== db.connectObj.default_schema) {
     req.flash("error", req.__("Not possible for tenant"));
     res.redirect("/admin");
@@ -1353,6 +1383,14 @@ const doInstall = async (req, res, version, runPull) => {
         ? req.__("Starting upgrade, please wait...\n")
         : req.__("Installing %s, please wait...\n", version)
     );
+    if (deepClean) {
+      res.write(req.__("Cleaning node_modules...\n"));
+      try {
+        await cleanNodeModules();
+      } catch (e) {
+        res.write(req.__("Error cleaning node_modules: %s\n", e.message));
+      }
+    }
     const child = spawn(
       "npm",
       ["install", "-g", `@saltcorn/cli@${version}`, "--unsafe"],
@@ -1390,8 +1428,8 @@ const doInstall = async (req, res, version, runPull) => {
 };
 
 router.post("/install", isAdmin, async (req, res) => {
-  const { version } = req.body;
-  await doInstall(req, res, version, false);
+  const { version, deep_clean } = req.body;
+  await doInstall(req, res, version, deep_clean === "on", false);
 });
 
 /**
@@ -1404,7 +1442,7 @@ router.post(
   "/upgrade",
   isAdmin,
   error_catcher(async (req, res) => {
-    await doInstall(req, res, "latest", true);
+    await doInstall(req, res, "latest", false, true);
   })
 );
 /**
@@ -2877,17 +2915,66 @@ router.get(
   })
 );
 
+const validateBuildDirName = (buildDirName) => {
+  // ensure characters
+  if (!/^[a-zA-Z0-9_-]+$/.test(buildDirName)) {
+    getState().log(
+      4,
+      `Invalid characters in build directory name '${buildDirName}'`
+    );
+    return false;
+  }
+  // ensure format is 'build_1234567890'
+  if (!/^build_\d+$/.test(buildDirName)) {
+    getState().log(4, `Invalid build directory name format '${buildDirName}'`);
+    return false;
+  }
+  return true;
+};
+
+const validateBuildDir = (buildDir, rootPath) => {
+  const resolvedBuildDir = path.resolve(buildDir);
+  if (!resolvedBuildDir.startsWith(path.join(rootPath, "mobile_app"))) {
+    getState().log(4, `Invalid build directory path '${buildDir}'`);
+    return false;
+  }
+  return true;
+};
+
 router.get(
   "/build-mobile-app/result",
   isAdmin,
   error_catcher(async (req, res) => {
     const { build_dir_name } = req.query;
+    if (!validateBuildDirName(build_dir_name)) {
+      return res.sendWrap(req.__(`Admin`), {
+        above: [
+          {
+            type: "card",
+            title: req.__("Build Result"),
+            contents: div(req.__("Invalid build directory name")),
+          },
+        ],
+      });
+    }
     const rootFolder = await File.rootFolder();
     const buildDir = path.join(
       rootFolder.location,
       "mobile_app",
       build_dir_name
     );
+    if (!validateBuildDir(buildDir, rootFolder.location)) {
+      return res.sendWrap(req.__(`Admin`), {
+        above: [
+          {
+            type: "card",
+            title: req.__("Build Result"),
+            contents: div(req.__("Invalid build directory path")),
+          },
+        ],
+      });
+    }
+
     const files = await Promise.all(
       fs
         .readdirSync(buildDir)

package/routes/infoarch.js

@@ -234,7 +234,14 @@ router.post(
   isAdmin,
   error_catcher(async (req, res) => {
     const { lang, defstring } = req.params;
-
+    if (
+      lang === "__proto__" ||
+      defstring === "__proto__" ||
+      lang === "constructor"
+    ) {
+      res.redirect(`/`);
+      return;
+    }
     const cfgStrings = getState().getConfigCopy("localizer_strings");
     if (cfgStrings[lang]) cfgStrings[lang][defstring] = text(req.body.value);
     else cfgStrings[lang] = { [defstring]: text(req.body.value) };

package/routes/plugins.js

@@ -49,6 +49,8 @@ const {
   input,
   label,
   text,
+  script,
+  domReady,
 } = require("@saltcorn/markup/tags");
 const { search_bar } = require("@saltcorn/markup/helpers");
 const fs = require("fs");
@@ -614,13 +616,14 @@ router.get(
         res.set("Page-Title", req.__("%s versions", text(withoutOrg)));
         const versions = Object.keys(pkgInfo.versions);
         if (versions.length === 0) throw new Error(req.__("No versions found"));
+        const tags = pkgInfo["dist-tags"] || {};
         let selected = null;
         if (getState().plugins[plugin.name]) {
           const mod = await load_plugins.requirePlugin(plugin);
           if (mod) selected = mod.version;
         }
         if (!selected) selected = versions[versions.length - 1];
-        const packageJson = require("../package.json");
+        const scVersion = getState().scVersion;
         return res.send(
           form(
             {
@@ -630,6 +633,7 @@ router.get(
             input({ type: "hidden", name: "_csrf", value: req.csrfToken() }),
             div(
               { class: "form-group" },
+              // version
               label(
                 {
                   for: "version_select",
@@ -645,7 +649,7 @@ router.get(
                 },
                 versions
                   .filter((v) =>
-                    isVersionSupported(v, pkgInfo.versions, packageJson.version)
+                    isVersionSupported(v, pkgInfo.versions, scVersion)
                   )
                   .map((version) =>
                     option({
@@ -655,6 +659,37 @@ router.get(
                       selected: version === selected,
                     })
                   )
+              ),
+              // tag
+              label(
+                {
+                  for: "tag_select",
+                  class: "form-label fw-bold mt-2",
+                },
+                req.__("Tags")
+              ),
+              select(
+                {
+                  id: "tag_select",
+                  class: "form-control form-select",
+                },
+                option({
+                  id: "empty_opt",
+                  value: "",
+                  label: req.__("Select tag"),
+                  selected: true,
+                }),
+                Object.keys(tags)
+                  .filter((tag) =>
+                    isVersionSupported(tags[tag], pkgInfo.versions, scVersion)
+                  )
+                  .map((tag) =>
+                    option({
+                      id: `${tag}_opt`,
+                      value: tags[tag],
+                      label: `${tag} (${tags[tag]})`,
+                    })
+                  )
               )
             ),
             div(
@@ -676,7 +711,19 @@ router.get(
                 req.__("Install")
               )
             )
-          )
+          ) +
+            script(
+              domReady(`
+document.getElementById('tag_select').onchange = () => {
+  const version = document.getElementById('tag_select').value;
+  if (version) document.getElementById('version_select').value = version;
+};
+document.getElementById('version_select').onchange = () => {
+  const tagSelect = document.getElementById('tag_select');
+  tagSelect.value = '';
+}; 
+`)
+            )
         );
       } catch (error) {
         getState().log(
@@ -1184,9 +1231,20 @@ router.get(
     const update_permitted =
       db.getTenantSchema() === db.connectObj.default_schema &&
       plugin_db.source === "npm";
-    const latest =
+
+    let latest =
       update_permitted &&
       (await get_latest_npm_version(plugin_db.location, 1000));
+    if (
+      latest &&
+      !isVersionSupported(latest, await load_plugins.getEngineInfos(plugin_db)) // with cache
+    ) {
+      // with force fetch
+      latest = supportedVersion(
+        latest,
+        await load_plugins.getEngineInfos(plugin_db, true)
+      );
+    }
     const can_update = update_permitted && latest && mod.version !== latest;
     const can_select_version = update_permitted && plugin_db.source === "npm";
     let pkgjson;
@@ -1332,8 +1390,8 @@ router.get(
   error_catcher(async (req, res) => {
     const schema = db.getTenantSchema();
     if (schema === db.connectObj.default_schema) {
-      await upgrade_all_tenants_plugins((p, f) =>
-        load_plugins.loadPlugin(p, f)
+      await upgrade_all_tenants_plugins((p, f, forceFetch) =>
+        load_plugins.loadPlugin(p, f, forceFetch)
       );
       req.flash(
         "success",
@@ -1344,7 +1402,9 @@ router.get(
     } else {
       const installed_plugins = await Plugin.find({});
       for (const plugin of installed_plugins) {
-        await plugin.upgrade_version((p, f) => load_plugins.loadPlugin(p, f));
+        await plugin.upgrade_version((p, f, forceFetch) =>
+          load_plugins.loadPlugin(p, f, forceFetch)
+        );
       }
       req.flash("success", req.__(`Modules up-to-date`));
       await restart_tenant(loadAllPlugins);
@@ -1370,16 +1430,11 @@ router.get(
     const { name } = req.params;
 
     const plugin = await Plugin.findOne({ name });
-    const pkgInfo = await npmFetch.json(
-      `https://registry.npmjs.org/${plugin.location}`
-    );
+    const versions = await load_plugins.getEngineInfos(plugin, true);
+
     await plugin.upgrade_version(
       (p, f) => load_plugins.loadPlugin(p, f),
-      supportedVersion(
-        "latest",
-        pkgInfo.versions,
-        require("../package.json").version
-      )
+      supportedVersion("latest", versions, require("../package.json").version)
     );
     req.flash("success", req.__(`Module up-to-date`));
 

package/serve.js

@@ -27,7 +27,7 @@ const {
   loadAndSaveNewPlugin,
   loadPlugin,
 } = require("./load_plugins");
-const { getConfig } = require("@saltcorn/data/models/config");
+const { getConfig, setConfig } = require("@saltcorn/data/models/config");
 const { migrate } = require("@saltcorn/data/migrate");
 const socketio = require("socket.io");
 const { createAdapter, setupPrimary } = require("@socket.io/cluster-adapter");
@@ -77,6 +77,17 @@ const ensureJwtSecret = () => {
   }
 };
 
+/**
+ * Ensure the engines cache is up to date with the current sc version
+ */
+const ensureEnginesCache = async () => {
+  const cacheScVersion = await getConfig("engines_cache_sc_version", "");
+  if (!cacheScVersion || cacheScVersion !== getState().scVersion) {
+    await setConfig("engines_cache", {});
+    await setConfig("engines_cache_sc_version", getState().scVersion);
+  }
+};
+
 // helpful https://gist.github.com/jpoehls/2232358
 /**
  * @param {object} opts
@@ -222,7 +233,10 @@ module.exports =
     dev,
     ...appargs
   } = {}) => {
-    ensureJwtSecret();
+    if (cluster.isMaster) {
+      ensureJwtSecret();
+      await ensureEnginesCache();
+    }
     process.on("unhandledRejection", (reason, p) => {
       console.error(reason, "Unhandled Rejection at Promise");
     });