@setzkasten-cms/astro-admin 1.4.6 → 1.5.0

package/dist/api-routes/deploy-hook.js

@@ -30,10 +30,10 @@ var POST = async ({ cookies }) => {
     });
     if (!response.ok) {
       console.warn(`[setzkasten] Deploy hook antwortete mit ${response.status}: ${url}`);
-      return new Response(
-        JSON.stringify({ ok: false, status: response.status }),
-        { status: 200, headers: { "Content-Type": "application/json" } }
-      );
+      return new Response(JSON.stringify({ ok: false, status: response.status }), {
+        status: 200,
+        headers: { "Content-Type": "application/json" }
+      });
     }
     return new Response(JSON.stringify({ ok: true }), {
       status: 200,
@@ -41,10 +41,10 @@ var POST = async ({ cookies }) => {
     });
   } catch (error) {
     console.error("[setzkasten] Deploy hook fehlgeschlagen:", error);
-    return new Response(
-      JSON.stringify({ ok: false, error: String(error) }),
-      { status: 200, headers: { "Content-Type": "application/json" } }
-    );
+    return new Response(JSON.stringify({ ok: false, error: String(error) }), {
+      status: 200,
+      headers: { "Content-Type": "application/json" }
+    });
   }
 };
 export {

package/dist/api-routes/editors.d.ts

@@ -1,5 +1,5 @@
-import { APIRoute } from 'astro';
 import { ContentEditorConfig } from '@setzkasten-cms/core';
+import { APIRoute } from 'astro';
 
 declare const GET: APIRoute;
 declare const PUT: APIRoute;

package/dist/api-routes/editors.js

@@ -3,11 +3,14 @@ import {
   PUT,
   readEditorsFile,
   readEditorsFileStatus
-} from "../chunk-INIWFKQ3.js";
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
 import "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
 import "../chunk-5PIMDP4N.js";
 import "../chunk-45ARVNT3.js";
-import "../chunk-NKDATSPA.js";
+import "../chunk-DP6RTINQ.js";
 import "../chunk-TJNJKPUL.js";
 import "../chunk-KH22FJO5.js";
 export {

package/dist/api-routes/github-proxy.js

@@ -1,12 +1,25 @@
+import {
+  parseSession
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
+import {
+  resolveStorageConfigForRequest
+} from "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
 import {
   resolveGitHubTokenForRequest
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
+import "../chunk-TJNJKPUL.js";
+import "../chunk-KH22FJO5.js";
 
 // src/api-routes/github-proxy.ts
 import { writeFile } from "fs/promises";
 import { join } from "path";
 var ALL = async ({ params, request, cookies }) => {
-  const session = cookies.get("setzkasten_session")?.value;
+  const session = parseSession(cookies.get("setzkasten_session")?.value);
   if (!session) {
     return new Response("Unauthorized", { status: 401 });
   }
@@ -14,6 +27,17 @@ var ALL = async ({ params, request, cookies }) => {
   if (!githubPath) {
     return new Response("Missing path", { status: 400 });
   }
+  const storage = await resolveStorageConfigForRequest(request);
+  if (!storage) {
+    return new Response("Could not resolve owner/repo", { status: 400 });
+  }
+  const allowedPrefix = `repos/${storage.owner}/${storage.repo}/`;
+  const allowedExact = `repos/${storage.owner}/${storage.repo}`;
+  if (githubPath !== allowedExact && !githubPath.startsWith(allowedPrefix)) {
+    return new Response(`Forbidden: proxy is scoped to ${storage.owner}/${storage.repo}`, {
+      status: 403
+    });
+  }
   const tokenResult = await resolveGitHubTokenForRequest(request);
   if (!tokenResult.ok) {
     return new Response(tokenResult.error.message, { status: 500 });
@@ -38,11 +62,7 @@ var ALL = async ({ params, request, cookies }) => {
     });
     const responseHeaders = new Headers();
     responseHeaders.set("Content-Type", response.headers.get("content-type") ?? "application/json");
-    const rateLimitHeaders = [
-      "x-ratelimit-limit",
-      "x-ratelimit-remaining",
-      "x-ratelimit-reset"
-    ];
+    const rateLimitHeaders = ["x-ratelimit-limit", "x-ratelimit-remaining", "x-ratelimit-reset"];
     for (const header of rateLimitHeaders) {
       const value = response.headers.get(header);
       if (value) responseHeaders.set(header, value);
@@ -59,7 +79,9 @@ var ALL = async ({ params, request, cookies }) => {
             const filePath = contentsMatch[1];
             const parsed = JSON.parse(body);
             if (parsed.content) {
-              const decoded = Buffer.from(parsed.content.replace(/\s/g, ""), "base64").toString("utf-8");
+              const decoded = Buffer.from(parsed.content.replace(/\s/g, ""), "base64").toString(
+                "utf-8"
+              );
               await writeFile(join(repoRoot, filePath), decoded, "utf-8").catch(() => {
               });
             }

package/dist/api-routes/global-config.js

@@ -3,12 +3,15 @@ import {
   PUT,
   readGlobalConfig,
   writeGlobalConfig
-} from "../chunk-AM4DZXXM.js";
-import "../chunk-INIWFKQ3.js";
+} from "../chunk-UJAFZEX2.js";
+import "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
 import "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
 import "../chunk-5PIMDP4N.js";
 import "../chunk-45ARVNT3.js";
-import "../chunk-NKDATSPA.js";
+import "../chunk-DP6RTINQ.js";
 import "../chunk-TJNJKPUL.js";
 import "../chunk-KH22FJO5.js";
 export {

package/dist/api-routes/history-rollback.js

@@ -1,17 +1,20 @@
 import {
   parseSession,
   requireAdmin
-} from "../chunk-INIWFKQ3.js";
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
 import {
   resolveStorageConfigForRequest
 } from "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
 import "../chunk-5PIMDP4N.js";
 import {
   invalidateCache
 } from "../chunk-45ARVNT3.js";
 import {
   resolveGitHubTokenForRequest
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
 import "../chunk-TJNJKPUL.js";
 import {
   withTrailers
@@ -40,6 +43,14 @@ var POST = async ({ request, cookies }) => {
     return Response.json({ error: "Could not resolve owner/repo" }, { status: 400 });
   }
   const { owner, repo, branch } = storage;
+  const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
+  const contentPath = serverConfig?.storage?.contentPath ?? "content";
+  if (!isPathInsideContent(path, contentPath)) {
+    return Response.json(
+      { error: `Rollback restricted to the content folder (${contentPath}/...)` },
+      { status: 400 }
+    );
+  }
   const headers = {
     Authorization: `Bearer ${tokenResult.value}`,
     Accept: "application/vnd.github+json",
@@ -57,10 +68,7 @@ var POST = async ({ request, cookies }) => {
     );
   }
   if (!versionRes.ok) {
-    return Response.json(
-      { error: `Failed to read version: ${versionRes.status}` },
-      { status: 502 }
-    );
+    return Response.json({ error: `Failed to read version: ${versionRes.status}` }, { status: 502 });
   }
   const versionData = await versionRes.json();
   const targetContent = versionData.encoding === "base64" ? Buffer.from(versionData.content, "base64").toString("utf-8") : versionData.content;
@@ -84,20 +92,18 @@ var POST = async ({ request, cookies }) => {
   }
   const shortSha = sha.slice(0, 7);
   const fileName = path.split("/").pop() ?? path;
-  const message = withTrailers(
-    `revert(${fileName}): rollback to ${shortSha}`,
-    session.user.email
-  );
+  const message = withTrailers(`revert(${fileName}): rollback to ${shortSha}`, session.user.email);
   const putBody = {
     message,
     content: Buffer.from(targetContent).toString("base64"),
     branch
   };
   if (currentSha) putBody.sha = currentSha;
-  const putRes = await fetch(
-    `https://api.github.com/repos/${owner}/${repo}/contents/${path}`,
-    { method: "PUT", headers, body: JSON.stringify(putBody) }
-  );
+  const putRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/contents/${path}`, {
+    method: "PUT",
+    headers,
+    body: JSON.stringify(putBody)
+  });
   if (!putRes.ok) {
     const text = await putRes.text();
     return Response.json({ error: `Rollback write failed: ${text}` }, { status: 502 });
@@ -106,6 +112,17 @@ var POST = async ({ request, cookies }) => {
   const putData = await putRes.json();
   return Response.json({ ok: true, commitSha: putData.commit.sha });
 };
+function isPathInsideContent(target, base) {
+  if (typeof target !== "string" || target.length === 0) return false;
+  if (target.includes("\0") || target.includes("\\")) return false;
+  if (target.startsWith("/")) return false;
+  const segments = target.split("/");
+  for (const seg of segments) {
+    if (seg === "" || seg === "." || seg === "..") return false;
+  }
+  const normalizedBase = base.replace(/^\/+|\/+$/g, "");
+  return target === normalizedBase || target.startsWith(`${normalizedBase}/`);
+}
 export {
   POST
 };

package/dist/api-routes/history-version.js

@@ -1,16 +1,19 @@
 import {
   requireAdmin
-} from "../chunk-INIWFKQ3.js";
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
 import {
   resolveStorageConfigForRequest
 } from "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
 import "../chunk-5PIMDP4N.js";
 import {
   cachedFetch
 } from "../chunk-45ARVNT3.js";
 import {
   resolveGitHubTokenForRequest
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
 import "../chunk-TJNJKPUL.js";
 import "../chunk-KH22FJO5.js";
 
@@ -32,9 +35,7 @@ var GET = async ({ request, url, cookies }) => {
   const { owner, repo } = storage;
   const cacheKey = `history-version:${owner}/${repo}:${path}:${sha}`;
   const result = await cachedFetch(cacheKey, 5 * 6e4, async () => {
-    const u = new URL(
-      `https://api.github.com/repos/${owner}/${repo}/contents/${path}`
-    );
+    const u = new URL(`https://api.github.com/repos/${owner}/${repo}/contents/${path}`);
     u.searchParams.set("ref", sha);
     const res = await fetch(u, {
       headers: {
@@ -43,7 +44,8 @@ var GET = async ({ request, url, cookies }) => {
         "X-GitHub-Api-Version": "2022-11-28"
       }
     });
-    if (res.status === 404) return { ok: false, status: 404, error: "File not found at given sha" };
+    if (res.status === 404)
+      return { ok: false, status: 404, error: "File not found at given sha" };
     if (!res.ok) return { ok: false, status: 502, error: `GitHub returned ${res.status}` };
     const data = await res.json();
     const raw = data.encoding === "base64" ? Buffer.from(data.content, "base64").toString("utf-8") : data.content;

package/dist/api-routes/history.js

@@ -1,16 +1,19 @@
 import {
   requireAdmin
-} from "../chunk-INIWFKQ3.js";
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
 import {
   resolveStorageConfigForRequest
 } from "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
 import "../chunk-5PIMDP4N.js";
 import {
   cachedFetch
 } from "../chunk-45ARVNT3.js";
 import {
   resolveGitHubTokenForRequest
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
 import "../chunk-TJNJKPUL.js";
 import "../chunk-KH22FJO5.js";
 

package/dist/api-routes/icons-local.js

@@ -4,7 +4,7 @@ import {
 } from "../chunk-6UIKVKED.js";
 import {
   resolveGitHubTokenForRequest
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
 
 // src/api-routes/icons-local.ts
 import {

package/dist/api-routes/init-add-section.js

@@ -3,25 +3,33 @@ import {
   patchChildComponentForFieldPrefix,
   patchTemplateForFields,
   stripTemplateFallbacks
-} from "../chunk-Q3N336KR.js";
+} from "../chunk-CDXCYYQR.js";
+import {
+  requireAdmin
+} from "../chunk-Q5HV47DW.js";
+import "../chunk-QVCW6EF3.js";
+import "../chunk-KENFINT4.js";
 import {
   prefixPath,
   resolveStorageConfigForRequest
 } from "../chunk-6UIKVKED.js";
+import "../chunk-ONP6BRZO.js";
+import "../chunk-5PIMDP4N.js";
+import "../chunk-45ARVNT3.js";
 import {
   resolveGitHubTokenForRequest
-} from "../chunk-NKDATSPA.js";
+} from "../chunk-DP6RTINQ.js";
+import "../chunk-TJNJKPUL.js";
 import {
   withTrailers
 } from "../chunk-KH22FJO5.js";
 
 // src/api-routes/init-add-section.ts
+import { isSafeKey } from "@setzkasten-cms/core";
 import { addSectionToConfig } from "@setzkasten-cms/core/init";
 var POST = async ({ request, cookies }) => {
-  const session = cookies.get("setzkasten_session")?.value;
-  if (!session) {
-    return new Response("Unauthorized", { status: 401 });
-  }
+  const denied = requireAdmin(cookies.get("setzkasten_session")?.value);
+  if (denied) return denied;
   const tokenResult = await resolveGitHubTokenForRequest(request);
   if (!tokenResult.ok) {
     return new Response(tokenResult.error.message, { status: 500 });
@@ -31,7 +39,12 @@ var POST = async ({ request, cookies }) => {
     const body = await request.json();
     const storage = await resolveStorageConfigForRequest(request, body);
     if (!storage) {
-      return Response.json({ error: "Could not resolve owner/repo. Set SETZKASTEN_OWNER and SETZKASTEN_REPO env vars." }, { status: 400 });
+      return Response.json(
+        {
+          error: "Could not resolve owner/repo. Set SETZKASTEN_OWNER and SETZKASTEN_REPO env vars."
+        },
+        { status: 400 }
+      );
     }
     const { owner, repo, branch, projectPrefix } = storage;
     const serverConfig = globalThis.__SETZKASTEN_CONFIG__;
@@ -40,6 +53,12 @@ var POST = async ({ request, cookies }) => {
     if (!section || !pageKey) {
       return Response.json({ error: "section and pageKey are required" }, { status: 400 });
     }
+    if (!isSafeKey(pageKey)) {
+      return Response.json({ error: "invalid pageKey" }, { status: 400 });
+    }
+    if (!isSafeKey(section.key)) {
+      return Response.json({ error: "invalid section key" }, { status: 400 });
+    }
     const headers = {
       Authorization: `Bearer ${githubToken}`,
       Accept: "application/vnd.github+json",
@@ -50,13 +69,24 @@ var POST = async ({ request, cookies }) => {
     const configPath = prefixPath("setzkasten.config.ts", projectPrefix);
     const existingConfig = await fetchFileContent(owner, repo, branch, configPath, githubToken);
     if (existingConfig) {
-      const updatedConfig = addSectionToConfig(existingConfig, section.key, section, section.allFields);
+      const updatedConfig = addSectionToConfig(
+        existingConfig,
+        section.key,
+        section,
+        section.allFields
+      );
       if (updatedConfig) {
         filesToCommit.push({ path: configPath, content: updatedConfig });
       }
     }
     const sectionJsonPath = `${contentPath}/_sections/${section.key}.json`;
-    const existingSectionJson = await fetchFileContent(owner, repo, branch, sectionJsonPath, githubToken);
+    const existingSectionJson = await fetchFileContent(
+      owner,
+      repo,
+      branch,
+      sectionJsonPath,
+      githubToken
+    );
     let sectionData = {};
     if (existingSectionJson) {
       try {
@@ -89,7 +119,13 @@ var POST = async ({ request, cookies }) => {
     });
     const configKey = "_" + pageKey.replace(/\//g, "_");
     const pageConfigPath = `${contentPath}/pages/${configKey}.json`;
-    const existingPageConfig = await fetchFileContent(owner, repo, branch, pageConfigPath, githubToken);
+    const existingPageConfig = await fetchFileContent(
+      owner,
+      repo,
+      branch,
+      pageConfigPath,
+      githubToken
+    );
     let pageConfig;
     if (existingPageConfig) {
       pageConfig = JSON.parse(existingPageConfig);
@@ -163,7 +199,9 @@ import Page from '${importDepth}${relativePage}';
         for (const g of repeatedGroups) {
           const topField = fields.find((f) => f.key === g.fieldKey);
           if (!topField || !Array.isArray(topField.defaultValue)) continue;
-          sectionData[g.fieldKey] = topField.defaultValue.filter((item) => item != null);
+          sectionData[g.fieldKey] = topField.defaultValue.filter(
+            (item) => item != null
+          );
           const jsonIdx = filesToCommit.findIndex((f) => f.path === sectionJsonPath);
           if (jsonIdx !== -1) {
             filesToCommit[jsonIdx].content = JSON.stringify(sectionData, null, 2);
@@ -171,10 +209,21 @@ import Page from '${importDepth}${relativePage}';
         }
       }
     } else if (section.componentPath) {
-      const componentSource = await fetchFileContent(owner, repo, branch, section.componentPath, githubToken);
+      const componentSource = await fetchFileContent(
+        owner,
+        repo,
+        branch,
+        section.componentPath,
+        githubToken
+      );
       if (componentSource) {
         const repeatedGroups = section._analyzerResult?.repeatedGroups ?? [];
-        const patchedSource = await patchTemplateForFields(componentSource, section.key, section.allFields ?? section.fields, repeatedGroups);
+        const patchedSource = await patchTemplateForFields(
+          componentSource,
+          section.key,
+          section.allFields ?? section.fields,
+          repeatedGroups
+        );
         if (patchedSource !== componentSource) {
           filesToCommit.push({ path: section.componentPath, content: patchedSource });
         }
@@ -182,7 +231,9 @@ import Page from '${importDepth}${relativePage}';
         for (const g of repeatedGroups) {
           const topField = fields.find((f) => f.key === g.fieldKey);
           if (!topField || !Array.isArray(topField.defaultValue)) continue;
-          const items = topField.defaultValue.filter((item) => item != null);
+          const items = topField.defaultValue.filter(
+            (item) => item != null
+          );
           sectionData[g.fieldKey] = items;
           const jsonIdx = filesToCommit.findIndex((f) => f.path === sectionJsonPath);
           if (jsonIdx !== -1) {
@@ -195,7 +246,13 @@ import Page from '${importDepth}${relativePage}';
           const sectionDir = section.componentPath.replace(/\/[^/]+$/, "");
           const resolvedChildPath = resolveRelativePath(sectionDir, child.importPath);
           if (!resolvedChildPath) continue;
-          const childSource = await fetchFileContent(owner, repo, branch, resolvedChildPath, githubToken);
+          const childSource = await fetchFileContent(
+            owner,
+            repo,
+            branch,
+            resolvedChildPath,
+            githubToken
+          );
           if (!childSource) continue;
           const patchedChild = patchChildComponentForFieldPrefix(childSource, child.innerFields);
           if (patchedChild !== childSource) {
@@ -207,7 +264,13 @@ import Page from '${importDepth}${relativePage}';
         const fullPagePath = prefixPath(body.pagePath, projectPrefix);
         const pageSource = await fetchFileContent(owner, repo, branch, fullPagePath, githubToken);
         if (pageSource) {
-          const patched = patchPageFile(pageSource, section.key, section.componentName, section.componentPath, body.pagePath);
+          const patched = patchPageFile(
+            pageSource,
+            section.key,
+            section.componentName,
+            section.componentPath,
+            body.pagePath
+          );
           if (patched && patched !== pageSource) {
             filesToCommit.push({ path: fullPagePath, content: patched });
           }
@@ -216,7 +279,13 @@ import Page from '${importDepth}${relativePage}';
         const previewPath = prefixPath(`${pageDir}/sk-preview/[...page].astro`, projectPrefix);
         const previewSource = await fetchFileContent(owner, repo, branch, previewPath, githubToken);
         if (previewSource) {
-          const patchedPreview = patchPageFile(previewSource, section.key, section.componentName, section.componentPath, `${pageDir}/sk-preview/[...page].astro`);
+          const patchedPreview = patchPageFile(
+            previewSource,
+            section.key,
+            section.componentName,
+            section.componentPath,
+            `${pageDir}/sk-preview/[...page].astro`
+          );
           if (patchedPreview && patchedPreview !== previewSource) {
             filesToCommit.push({ path: previewPath, content: patchedPreview });
           }
@@ -231,7 +300,9 @@ import Page from '${importDepth}${relativePage}';
       repo,
       branch,
       filesToCommit,
-      withTrailers(existingSectionJson ? `content: update ${section.key} section \u2014 add new fields` : `content: add ${section.key} section to Setzkasten`),
+      withTrailers(
+        existingSectionJson ? `content: update ${section.key} section \u2014 add new fields` : `content: add ${section.key} section to Setzkasten`
+      ),
       headers
     );
     if (!commitResult.ok) {
@@ -379,37 +450,32 @@ async function batchCommit(owner, repo, branch, files, message, headers) {
     );
     if (!commitRes.ok) return { ok: false, error: `Failed to get commit: ${commitRes.status}` };
     const commitData = await commitRes.json();
-    const treeRes = await fetch(
-      `https://api.github.com/repos/${owner}/${repo}/git/trees`,
-      {
-        method: "POST",
-        headers,
-        body: JSON.stringify({
-          base_tree: commitData.tree.sha,
-          tree: files.map((f) => ({
-            path: f.path,
-            mode: "100644",
-            type: "blob",
-            content: f.content
-          }))
-        })
-      }
-    );
+    const treeRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/trees`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        base_tree: commitData.tree.sha,
+        tree: files.map((f) => ({
+          path: f.path,
+          mode: "100644",
+          type: "blob",
+          content: f.content
+        }))
+      })
+    });
     if (!treeRes.ok) return { ok: false, error: `Failed to create tree: ${treeRes.status}` };
     const treeData = await treeRes.json();
-    const newCommitRes = await fetch(
-      `https://api.github.com/repos/${owner}/${repo}/git/commits`,
-      {
-        method: "POST",
-        headers,
-        body: JSON.stringify({
-          tree: treeData.sha,
-          parents: [headSha],
-          message
-        })
-      }
-    );
-    if (!newCommitRes.ok) return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` };
+    const newCommitRes = await fetch(`https://api.github.com/repos/${owner}/${repo}/git/commits`, {
+      method: "POST",
+      headers,
+      body: JSON.stringify({
+        tree: treeData.sha,
+        parents: [headSha],
+        message
+      })
+    });
+    if (!newCommitRes.ok)
+      return { ok: false, error: `Failed to create commit: ${newCommitRes.status}` };
     const newCommitData = await newCommitRes.json();
     const updateRes = await fetch(
       `https://api.github.com/repos/${owner}/${repo}/git/refs/heads/${branch}`,