@setzkasten-cms/astro-admin 1.4.6 → 1.5.0

package/src/api-routes/catalog-export.ts

@@ -1,7 +1,7 @@
-import type { APIRoute } from 'astro'
 import { exportTemplate } from '@setzkasten-cms/catalog'
-import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
+import type { APIRoute } from 'astro'
 import { resolveGitHubTokenForRequest } from './_github-token'
+import { prefixPath, resolveStorageConfigForRequest } from './_storage-config'
 
 /**
  * POST /api/setzkasten/catalog/export
@@ -22,7 +22,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const githubToken = tokenResult.value
 
   try {
-    const body = await request.json() as {
+    const body = (await request.json()) as {
       sectionKey: string
       owner?: string
       repo?: string
@@ -46,14 +46,18 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     // 1. Read section content JSON
     const sectionJsonPath = prefixPath(`${contentPath}/_sections/${sectionKey}.json`, projectPrefix)
     const contentRaw = await fetchFileContent(owner, repo, branch, sectionJsonPath, githubToken)
-    if (!contentRaw) return Response.json({ error: `Section content not found: ${sectionKey}` }, { status: 404 })
+    if (!contentRaw)
+      return Response.json({ error: `Section content not found: ${sectionKey}` }, { status: 404 })
 
     const content = JSON.parse(contentRaw) as Record<string, unknown>
 
     // 2. Find section definition from full config
     const sectionDef = findSectionDef(fullConfig, sectionKey)
     if (!sectionDef) {
-      return Response.json({ error: `Section definition not found for key: ${sectionKey}` }, { status: 404 })
+      return Response.json(
+        { error: `Section definition not found for key: ${sectionKey}` },
+        { status: 404 },
+      )
     }
 
     // 3. Export to template format
@@ -77,14 +81,30 @@ function findSectionDef(fullConfig: any, sectionKey: string): any {
   return null
 }
 
-async function fetchFileContent(owner: string, repo: string, branch: string, path: string, token: string): Promise<string | null> {
+async function fetchFileContent(
+  owner: string,
+  repo: string,
+  branch: string,
+  path: string,
+  token: string,
+): Promise<string | null> {
   try {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${path}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: 'application/vnd.github+json', 'X-GitHub-Api-Version': '2022-11-28' } },
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: 'application/vnd.github+json',
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      },
     )
     if (!res.ok) return null
-    const data = await res.json() as { content: string; encoding: string }
-    return data.encoding === 'base64' ? Buffer.from(data.content, 'base64').toString('utf-8') : data.content
-  } catch { return null }
+    const data = (await res.json()) as { content: string; encoding: string }
+    return data.encoding === 'base64'
+      ? Buffer.from(data.content, 'base64').toString('utf-8')
+      : data.content
+  } catch {
+    return null
+  }
 }

package/src/api-routes/config.ts

@@ -1,22 +1,55 @@
 import type { APIRoute } from 'astro'
+import { parseSession } from './_auth-guard'
 import { readGlobalConfig } from './global-config'
 
 /**
  * GET /api/setzkasten/config
  *
- * Returns the full SetzKastenConfig as JSON. Fields from GlobalConfig
- * (stored in _global_config.json) are merged over the static config so
- * admins can change theme and Firebase settings without a code deployment.
+ * Returns the SetzKastenConfig as JSON. The login screen (pre-session)
+ * needs to know which auth providers are enabled and Firebase project
+ * id, so a *minimal public subset* is exposed unauthenticated. The full
+ * config (storage params, products, page schema, etc.) is only served
+ * to authenticated users — pre-fix anyone could harvest the deployment
+ * blueprint.
+ *
+ * Fields from GlobalConfig (`_global_config.json`) are merged over the
+ * static config so admins can change theme and Firebase settings
+ * without a code deployment.
  */
-export const GET: APIRoute = async () => {
+export const GET: APIRoute = async ({ cookies }) => {
   const config = (globalThis as Record<string, unknown>).__SETZKASTEN_FULL_CONFIG__ ?? {}
-  const ssrConfig = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as Record<string, unknown> | undefined
+  const ssrConfig = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
+    | Record<string, unknown>
+    | undefined
 
   const globalCfg = await readGlobalConfig().catch(() => null)
 
-  const staticTheme = (config as any).theme ?? {}
+  const staticTheme = (config as Record<string, unknown>).theme ?? {}
   const globalTheme = globalCfg?.theme ?? {}
 
+  const session = parseSession(cookies?.get('setzkasten_session')?.value)
+
+  // Public subset for the login screen. Provider list is intentionally
+  // visible — the SPA needs to render the right buttons. Firebase config
+  // is needed for `setzkasten-login` (Google IdP) before the user has a
+  // session cookie. Theme is cosmetic. Everything else is gated.
+  if (!session) {
+    return new Response(
+      JSON.stringify({
+        auth: (config as Record<string, unknown>).auth ?? { providers: ['github'] },
+        theme: { ...staticTheme, ...globalTheme },
+        adminPath: ssrConfig?.adminPath ?? '/admin',
+        _firebaseConfig: globalCfg?.firebaseConfig ?? null,
+        _hasGitHub: ssrConfig?.hasGitHub ?? false,
+        _hasGoogle: ssrConfig?.hasGoogle ?? false,
+      }),
+      {
+        status: 200,
+        headers: { 'Content-Type': 'application/json' },
+      },
+    )
+  }
+
   const result = {
     // Default fallback when no config is injected at build time. Real
     // values are spread from `config` below.

package/src/api-routes/deploy-hook.ts

@@ -15,9 +15,11 @@ export const POST: APIRoute = async ({ cookies }) => {
     return new Response('Unauthorized', { status: 401 })
   }
 
-  const config = (globalThis as any).__SETZKASTEN_CONFIG__ as {
-    deployHook?: { url: string; secret?: string }
-  } | undefined
+  const config = (globalThis as any).__SETZKASTEN_CONFIG__ as
+    | {
+        deployHook?: { url: string; secret?: string }
+      }
+    | undefined
 
   if (!config?.deployHook?.url) {
     return new Response(JSON.stringify({ skipped: true, reason: 'Kein deployHook konfiguriert' }), {
@@ -49,10 +51,10 @@ export const POST: APIRoute = async ({ cookies }) => {
 
     if (!response.ok) {
       console.warn(`[setzkasten] Deploy hook antwortete mit ${response.status}: ${url}`)
-      return new Response(
-        JSON.stringify({ ok: false, status: response.status }),
-        { status: 200, headers: { 'Content-Type': 'application/json' } },
-      )
+      return new Response(JSON.stringify({ ok: false, status: response.status }), {
+        status: 200,
+        headers: { 'Content-Type': 'application/json' },
+      })
     }
 
     return new Response(JSON.stringify({ ok: true }), {
@@ -61,9 +63,9 @@ export const POST: APIRoute = async ({ cookies }) => {
     })
   } catch (error) {
     console.error('[setzkasten] Deploy hook fehlgeschlagen:', error)
-    return new Response(
-      JSON.stringify({ ok: false, error: String(error) }),
-      { status: 200, headers: { 'Content-Type': 'application/json' } },
-    )
+    return new Response(JSON.stringify({ ok: false, error: String(error) }), {
+      status: 200,
+      headers: { 'Content-Type': 'application/json' },
+    })
   }
 }

package/src/api-routes/editors.ts

@@ -1,12 +1,12 @@
-import type { APIRoute } from 'astro'
-import { resolveStorageConfig } from './_storage-config'
-import { parseSession } from './_auth-guard'
-import { resolveConfigRepoToken } from './_github-token'
 import type { ContentEditorConfig } from '@setzkasten-cms/core'
 import { validateEditorsUpdate } from '@setzkasten-cms/core'
-import { cachedFetch, invalidateCache } from './_github-cache'
+import type { APIRoute } from 'astro'
+import { parseSession } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
 import { gateFeature } from './_feature-gate'
+import { cachedFetch, invalidateCache } from './_github-cache'
+import { resolveConfigRepoToken } from './_github-token'
+import { resolveStorageConfig } from './_storage-config'
 
 const EDITORS_FILE = (contentPath: string) => `${contentPath}/_editors.json`
 
@@ -36,8 +36,9 @@ export const GET: APIRoute = async ({ cookies }) => {
   const storage = configRepoStorage()
   if (!storage) return Response.json({ error: 'Could not resolve storage config' }, { status: 400 })
 
-  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
-    .__SETZKASTEN_CONFIG__
+  const serverConfig = (
+    globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } }
+  ).__SETZKASTEN_CONFIG__
   const contentPath = serverConfig?.storage?.contentPath ?? 'content'
   const { owner, repo, branch } = storage
 
@@ -67,8 +68,9 @@ export const PUT: APIRoute = async ({ request, cookies }) => {
   const storage = configRepoStorage()
   if (!storage) return Response.json({ error: 'Could not resolve storage config' }, { status: 400 })
 
-  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
-    .__SETZKASTEN_CONFIG__
+  const serverConfig = (
+    globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } }
+  ).__SETZKASTEN_CONFIG__
   const contentPath = serverConfig?.storage?.contentPath ?? 'content'
   const { owner, repo, branch } = storage
 
@@ -82,10 +84,7 @@ export const PUT: APIRoute = async ({ request, cookies }) => {
 
   const validation = validateEditorsUpdate(editors, session.user.email)
   if (!validation.ok) {
-    return Response.json(
-      { error: validation.message, code: validation.code },
-      { status: 400 },
-    )
+    return Response.json({ error: validation.message, code: validation.code }, { status: 400 })
   }
 
   const filePath = EDITORS_FILE(contentPath)
@@ -107,10 +106,11 @@ export const PUT: APIRoute = async ({ request, cookies }) => {
   }
   if (existing) body.sha = existing
 
-  const res = await fetch(
-    `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}`,
-    { method: 'PUT', headers, body: JSON.stringify(body) },
-  )
+  const res = await fetch(`https://api.github.com/repos/${owner}/${repo}/contents/${filePath}`, {
+    method: 'PUT',
+    headers,
+    body: JSON.stringify(body),
+  })
 
   if (!res.ok) {
     const text = await res.text()
@@ -138,9 +138,11 @@ async function fetchFileSha(
       { headers },
     )
     if (!res.ok) return null
-    const data = await res.json() as { sha: string }
+    const data = (await res.json()) as { sha: string }
     return data.sha ?? null
-  } catch { return null }
+  } catch {
+    return null
+  }
 }
 
 export async function readEditorsFile(
@@ -154,11 +156,20 @@ export async function readEditorsFile(
   return cachedFetch(key, 2 * 60_000, async () => {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${EDITORS_FILE(contentPath)}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: 'application/vnd.github+json', 'X-GitHub-Api-Version': '2022-11-28' } },
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: 'application/vnd.github+json',
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      },
     )
     if (!res.ok) return null
-    const data = await res.json() as { content: string; encoding: string }
-    const raw = data.encoding === 'base64' ? Buffer.from(data.content, 'base64').toString('utf-8') : data.content
+    const data = (await res.json()) as { content: string; encoding: string }
+    const raw =
+      data.encoding === 'base64'
+        ? Buffer.from(data.content, 'base64').toString('utf-8')
+        : data.content
     return JSON.parse(raw) as ContentEditorConfig[]
   })
 }

package/src/api-routes/github-proxy.ts

@@ -1,7 +1,9 @@
-import type { APIRoute } from 'astro'
 import { writeFile } from 'node:fs/promises'
 import { join } from 'node:path'
+import type { APIRoute } from 'astro'
+import { parseSession } from './_auth-guard'
 import { resolveGitHubTokenForRequest } from './_github-token'
+import { resolveStorageConfigForRequest } from './_storage-config'
 
 /**
  * Server-side proxy for GitHub API calls.
@@ -12,7 +14,7 @@ import { resolveGitHubTokenForRequest } from './_github-token'
  */
 export const ALL: APIRoute = async ({ params, request, cookies }) => {
   // Verify session
-  const session = cookies.get('setzkasten_session')?.value
+  const session = parseSession(cookies.get('setzkasten_session')?.value)
   if (!session) {
     return new Response('Unauthorized', { status: 401 })
   }
@@ -22,6 +24,22 @@ export const ALL: APIRoute = async ({ params, request, cookies }) => {
     return new Response('Missing path', { status: 400 })
   }
 
+  // Restrict the proxy to the resolved website's repo. Pre-fix any
+  // editor (or anyone post-C1 forgery) could call
+  // `repos/{any-app-installed-repo}/contents/...` and write through the
+  // App's contents:write token. Now the prefix must match exactly.
+  const storage = await resolveStorageConfigForRequest(request)
+  if (!storage) {
+    return new Response('Could not resolve owner/repo', { status: 400 })
+  }
+  const allowedPrefix = `repos/${storage.owner}/${storage.repo}/`
+  const allowedExact = `repos/${storage.owner}/${storage.repo}`
+  if (githubPath !== allowedExact && !githubPath.startsWith(allowedPrefix)) {
+    return new Response(`Forbidden: proxy is scoped to ${storage.owner}/${storage.repo}`, {
+      status: 403,
+    })
+  }
+
   const tokenResult = await resolveGitHubTokenForRequest(request)
   if (!tokenResult.ok) {
     return new Response(tokenResult.error.message, { status: 500 })
@@ -45,9 +63,7 @@ export const ALL: APIRoute = async ({ params, request, cookies }) => {
     }
 
     const body =
-      request.method !== 'GET' && request.method !== 'HEAD'
-        ? await request.text()
-        : undefined
+      request.method !== 'GET' && request.method !== 'HEAD' ? await request.text() : undefined
 
     const response = await fetch(githubUrl, {
       method: request.method,
@@ -59,11 +75,7 @@ export const ALL: APIRoute = async ({ params, request, cookies }) => {
     const responseHeaders = new Headers()
     responseHeaders.set('Content-Type', response.headers.get('content-type') ?? 'application/json')
 
-    const rateLimitHeaders = [
-      'x-ratelimit-limit',
-      'x-ratelimit-remaining',
-      'x-ratelimit-reset',
-    ]
+    const rateLimitHeaders = ['x-ratelimit-limit', 'x-ratelimit-remaining', 'x-ratelimit-reset']
     for (const header of rateLimitHeaders) {
       const value = response.headers.get(header)
       if (value) responseHeaders.set(header, value)
@@ -90,7 +102,9 @@ export const ALL: APIRoute = async ({ params, request, cookies }) => {
             const parsed = JSON.parse(body) as { content?: string }
             if (parsed.content) {
               // GitHub API sends base64 with possible line breaks
-              const decoded = Buffer.from(parsed.content.replace(/\s/g, ''), 'base64').toString('utf-8')
+              const decoded = Buffer.from(parsed.content.replace(/\s/g, ''), 'base64').toString(
+                'utf-8',
+              )
               await writeFile(join(repoRoot, filePath), decoded, 'utf-8').catch(() => {})
             }
           }

package/src/api-routes/global-config.ts

@@ -1,9 +1,9 @@
 import type { APIRoute } from 'astro'
 import { parseSession } from './_auth-guard'
-import { resolveStorageConfig } from './_storage-config'
-import { resolveConfigRepoToken } from './_github-token'
-import { cachedFetch, invalidateCache } from './_github-cache'
 import { withTrailers } from './_commit-trailers'
+import { cachedFetch, invalidateCache } from './_github-cache'
+import { resolveConfigRepoToken } from './_github-token'
+import { resolveStorageConfig } from './_storage-config'
 
 const GLOBAL_CONFIG_FILE = (contentPath: string) => `${contentPath}/_global_config.json`
 
@@ -41,13 +41,19 @@ export const PUT: APIRoute = async ({ request, cookies }) => {
   if (!session) return new Response('Unauthorized', { status: 401 })
   if (session.user.role !== 'admin') return new Response('Forbidden', { status: 403 })
 
-  let patch: Partial<GlobalConfig>
+  let raw: unknown
   try {
-    patch = (await request.json()) as Partial<GlobalConfig>
+    raw = await request.json()
   } catch {
     return Response.json({ error: 'Invalid request body' }, { status: 400 })
   }
 
+  const validated = validateGlobalConfigPatch(raw)
+  if (!validated.ok) {
+    return Response.json({ error: validated.error }, { status: 400 })
+  }
+  const patch = validated.value
+
   const current = (await readGlobalConfig()) ?? {}
   const next: GlobalConfig = { ...current }
   for (const [k, v] of Object.entries(patch)) {
@@ -58,6 +64,74 @@ export const PUT: APIRoute = async ({ request, cookies }) => {
   return Response.json({ ok: true })
 }
 
+/**
+ * Schema-validates the PUT payload before merging into `_global_config.json`.
+ * Pre-fix the route accepted arbitrary JSON via `as Partial<GlobalConfig>`;
+ * a malformed payload (wrong types, non-object firebaseConfig) could
+ * break login on next boot. Every accepted field is now type-checked
+ * inline.
+ */
+function validateGlobalConfigPatch(
+  input: unknown,
+): { ok: true; value: Partial<GlobalConfig> } | { ok: false; error: string } {
+  if (!input || typeof input !== 'object' || Array.isArray(input)) {
+    return { ok: false, error: 'Body must be a JSON object' }
+  }
+  const o = input as Record<string, unknown>
+  const out: Partial<GlobalConfig> = {}
+
+  if ('firebaseConfig' in o) {
+    if (o.firebaseConfig === null) {
+      ;(out as Record<string, unknown>).firebaseConfig = null
+    } else {
+      if (!o.firebaseConfig || typeof o.firebaseConfig !== 'object') {
+        return { ok: false, error: 'firebaseConfig must be an object or null' }
+      }
+      const fc = o.firebaseConfig as Record<string, unknown>
+      for (const k of ['apiKey', 'authDomain', 'projectId'] as const) {
+        if (typeof fc[k] !== 'string' || !fc[k]) {
+          return { ok: false, error: `firebaseConfig.${k} must be a non-empty string` }
+        }
+      }
+      out.firebaseConfig = {
+        apiKey: fc.apiKey as string,
+        authDomain: fc.authDomain as string,
+        projectId: fc.projectId as string,
+      }
+    }
+  }
+
+  if ('theme' in o) {
+    if (o.theme === null) {
+      ;(out as Record<string, unknown>).theme = null
+    } else {
+      if (!o.theme || typeof o.theme !== 'object') {
+        return { ok: false, error: 'theme must be an object or null' }
+      }
+      const t = o.theme as Record<string, unknown>
+      const theme: NonNullable<GlobalConfig['theme']> = {}
+      for (const k of ['primaryColor', 'brandName', 'logo'] as const) {
+        if (k in t) {
+          if (typeof t[k] !== 'string') {
+            return { ok: false, error: `theme.${k} must be a string` }
+          }
+          theme[k] = t[k] as string
+        }
+      }
+      out.theme = theme
+    }
+  }
+
+  // Reject unknown top-level keys so a forged-admin attacker can't
+  // smuggle fields the schema will later trust.
+  for (const k of Object.keys(o)) {
+    if (k !== 'firebaseConfig' && k !== 'theme') {
+      return { ok: false, error: `unknown top-level field: ${k}` }
+    }
+  }
+  return { ok: true, value: out }
+}
+
 // ---------------------------------------------------------------------------
 // Helpers
 //
@@ -71,8 +145,9 @@ export const PUT: APIRoute = async ({ request, cookies }) => {
 // ---------------------------------------------------------------------------
 
 async function getStorageParams() {
-  const serverConfig = (globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } })
-    .__SETZKASTEN_CONFIG__
+  const serverConfig = (
+    globalThis as { __SETZKASTEN_CONFIG__?: { storage?: { contentPath?: string } } }
+  ).__SETZKASTEN_CONFIG__
   const storage = resolveStorageConfig()
   if (!storage) return null
   const tokenResult = await resolveConfigRepoToken()
@@ -94,13 +169,20 @@ export async function readGlobalConfig(): Promise<GlobalConfig | null> {
   return cachedFetch(key, 5 * 60_000, async () => {
     const res = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/contents/${GLOBAL_CONFIG_FILE(contentPath)}?ref=${branch}`,
-      { headers: { Authorization: `Bearer ${token}`, Accept: 'application/vnd.github+json', 'X-GitHub-Api-Version': '2022-11-28' } },
+      {
+        headers: {
+          Authorization: `Bearer ${token}`,
+          Accept: 'application/vnd.github+json',
+          'X-GitHub-Api-Version': '2022-11-28',
+        },
+      },
     )
     if (!res.ok) return null
-    const data = await res.json() as { content: string; encoding: string }
-    const raw = data.encoding === 'base64'
-      ? Buffer.from(data.content, 'base64').toString('utf-8')
-      : data.content
+    const data = (await res.json()) as { content: string; encoding: string }
+    const raw =
+      data.encoding === 'base64'
+        ? Buffer.from(data.content, 'base64').toString('utf-8')
+        : data.content
     return JSON.parse(raw) as GlobalConfig
   })
 }
@@ -126,10 +208,12 @@ export async function writeGlobalConfig(config: GlobalConfig): Promise<void> {
       { headers },
     )
     if (existing.ok) {
-      const data = await existing.json() as { sha: string }
+      const data = (await existing.json()) as { sha: string }
       sha = data.sha
     }
-  } catch { /* file doesn't exist yet */ }
+  } catch {
+    /* file doesn't exist yet */
+  }
 
   const body: Record<string, unknown> = {
     message: withTrailers('chore(config): update global config'),
@@ -138,10 +222,11 @@ export async function writeGlobalConfig(config: GlobalConfig): Promise<void> {
   }
   if (sha) body.sha = sha
 
-  const res = await fetch(
-    `https://api.github.com/repos/${owner}/${repo}/contents/${filePath}`,
-    { method: 'PUT', headers, body: JSON.stringify(body) },
-  )
+  const res = await fetch(`https://api.github.com/repos/${owner}/${repo}/contents/${filePath}`, {
+    method: 'PUT',
+    headers,
+    body: JSON.stringify(body),
+  })
   if (!res.ok) {
     const text = await res.text()
     throw new Error(`GitHub write failed: ${text}`)

package/src/api-routes/history-rollback.ts

@@ -1,9 +1,9 @@
 import type { APIRoute } from 'astro'
-import { resolveStorageConfigForRequest } from './_storage-config'
-import { resolveGitHubTokenForRequest } from './_github-token'
 import { parseSession, requireAdmin } from './_auth-guard'
 import { withTrailers } from './_commit-trailers'
 import { invalidateCache } from './_github-cache'
+import { resolveGitHubTokenForRequest } from './_github-token'
+import { resolveStorageConfigForRequest } from './_storage-config'
 
 interface RollbackBody {
   path?: string
@@ -57,6 +57,21 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   }
   const { owner, repo, branch } = storage
 
+  // Restrict rollback to the content tree. Pre-fix, an admin (or anyone
+  // who could forge an admin cookie pre-C1) could roll back any path —
+  // including `.github/workflows/deploy.yml`, `setzkasten.config.ts`,
+  // or arbitrary source — to any historical SHA.
+  const serverConfig = (globalThis as Record<string, unknown>).__SETZKASTEN_CONFIG__ as
+    | { storage?: { contentPath?: string } }
+    | undefined
+  const contentPath = serverConfig?.storage?.contentPath ?? 'content'
+  if (!isPathInsideContent(path, contentPath)) {
+    return Response.json(
+      { error: `Rollback restricted to the content folder (${contentPath}/...)` },
+      { status: 400 },
+    )
+  }
+
   const headers = {
     Authorization: `Bearer ${tokenResult.value}`,
     Accept: 'application/vnd.github+json',
@@ -76,10 +91,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
     )
   }
   if (!versionRes.ok) {
-    return Response.json(
-      { error: `Failed to read version: ${versionRes.status}` },
-      { status: 502 },
-    )
+    return Response.json({ error: `Failed to read version: ${versionRes.status}` }, { status: 502 })
   }
   const versionData = (await versionRes.json()) as {
     content: string
@@ -114,10 +126,7 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   // 3. Write new commit with the historical content
   const shortSha = sha.slice(0, 7)
   const fileName = path.split('/').pop() ?? path
-  const message = withTrailers(
-    `revert(${fileName}): rollback to ${shortSha}`,
-    session.user.email,
-  )
+  const message = withTrailers(`revert(${fileName}): rollback to ${shortSha}`, session.user.email)
 
   const putBody: Record<string, unknown> = {
     message,
@@ -126,10 +135,11 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   }
   if (currentSha) putBody.sha = currentSha
 
-  const putRes = await fetch(
-    `https://api.github.com/repos/${owner}/${repo}/contents/${path}`,
-    { method: 'PUT', headers, body: JSON.stringify(putBody) },
-  )
+  const putRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/contents/${path}`, {
+    method: 'PUT',
+    headers,
+    body: JSON.stringify(putBody),
+  })
 
   if (!putRes.ok) {
     const text = await putRes.text()
@@ -142,3 +152,20 @@ export const POST: APIRoute = async ({ request, cookies }) => {
   const putData = (await putRes.json()) as { commit: { sha: string } }
   return Response.json({ ok: true, commitSha: putData.commit.sha })
 }
+
+/** True when `target` is a sub-path of `base` after path normalisation.
+ *  Forbids `..` segments, leading/embedded NUL, absolute paths, and
+ *  Windows-style backslashes (the API accepts forward slashes only). */
+function isPathInsideContent(target: string, base: string): boolean {
+  if (typeof target !== 'string' || target.length === 0) return false
+  if (target.includes('\0') || target.includes('\\')) return false
+  if (target.startsWith('/')) return false
+
+  const segments = target.split('/')
+  for (const seg of segments) {
+    if (seg === '' || seg === '.' || seg === '..') return false
+  }
+
+  const normalizedBase = base.replace(/^\/+|\/+$/g, '')
+  return target === normalizedBase || target.startsWith(`${normalizedBase}/`)
+}

package/src/api-routes/history-version.ts

@@ -1,8 +1,8 @@
 import type { APIRoute } from 'astro'
-import { resolveStorageConfigForRequest } from './_storage-config'
-import { resolveGitHubTokenForRequest } from './_github-token'
 import { requireAdmin } from './_auth-guard'
 import { cachedFetch } from './_github-cache'
+import { resolveGitHubTokenForRequest } from './_github-token'
+import { resolveStorageConfigForRequest } from './_storage-config'
 
 /**
  * GET /api/setzkasten/history/version?path=<file>&sha=<commit-sha>
@@ -31,9 +31,7 @@ export const GET: APIRoute = async ({ request, url, cookies }) => {
 
   const cacheKey = `history-version:${owner}/${repo}:${path}:${sha}`
   const result = await cachedFetch(cacheKey, 5 * 60_000, async () => {
-    const u = new URL(
-      `https://api.github.com/repos/${owner}/${repo}/contents/${path}`,
-    )
+    const u = new URL(`https://api.github.com/repos/${owner}/${repo}/contents/${path}`)
     u.searchParams.set('ref', sha)
     const res = await fetch(u, {
       headers: {
@@ -42,7 +40,8 @@ export const GET: APIRoute = async ({ request, url, cookies }) => {
         'X-GitHub-Api-Version': '2022-11-28',
       },
     })
-    if (res.status === 404) return { ok: false as const, status: 404, error: 'File not found at given sha' }
+    if (res.status === 404)
+      return { ok: false as const, status: 404, error: 'File not found at given sha' }
     if (!res.ok) return { ok: false as const, status: 502, error: `GitHub returned ${res.status}` }
     const data = (await res.json()) as { content: string; encoding: string; sha: string }
     const raw =