@strapi/plugin-users-permissions 4.5.4 → 4.5.6

package/admin/src/pages/Providers/index.js

@@ -14,7 +14,6 @@ import {
 } from '@strapi/helper-plugin';
 import has from 'lodash/has';
 import upperFirst from 'lodash/upperFirst';
-import { FontAwesomeIcon } from '@fortawesome/react-fontawesome';
 import { HeaderLayout, Layout, ContentLayout } from '@strapi/design-system/Layout';
 import { Main } from '@strapi/design-system/Main';
 import { useNotifyAT } from '@strapi/design-system/LiveRegions';
@@ -163,16 +162,9 @@ export const ProvidersPage = () => {
           <LoadingIndicatorPage />
         ) : (
           <ContentLayout>
-            <Table colCount={4} rowCount={rowCount + 1}>
+            <Table colCount={3} rowCount={rowCount + 1}>
               <Thead>
                 <Tr>
-                  <Th>
-                    <Typography variant="sigma" textColor="neutral600">
-                      <VisuallyHidden>
-                        {formatMessage({ id: getTrad('Providers.image'), defaultMessage: 'Image' })}
-                      </VisuallyHidden>
-                    </Typography>
-                  </Th>
                   <Th>
                     <Typography variant="sigma" textColor="neutral600">
                       {formatMessage({ id: 'global.name', defaultMessage: 'Name' })}
@@ -204,9 +196,6 @@ export const ProvidersPage = () => {
                       condition: canUpdate,
                     })}
                   >
-                    <Td width="">
-                      <FontAwesomeIcon icon={provider.icon} />
-                    </Td>
                     <Td width="45%">
                       <Typography fontWeight="semiBold" textColor="neutral800">
                         {provider.name}

package/admin/src/translations/dk.json

@@ -54,7 +54,6 @@
   "PopUpForm.header.edit.email-templates": "Redigér e-mail skabeloner",
   "PopUpForm.header.edit.providers": "Redigér udbydere",
   "Providers.data.loaded": "Providers hentet",
-  "Providers.image": "Billede",
   "Providers.status": "Status",
   "Roles.empty": "Du har endnu ingen roller.",
   "Roles.empty.search": "Ingen roller matcher søgningen.",

package/admin/src/translations/en.json

@@ -54,7 +54,6 @@
   "PopUpForm.header.edit.email-templates": "Edit email template",
   "PopUpForm.header.edit.providers": "Edit Provider",
   "Providers.data.loaded": "Providers have been loaded",
-  "Providers.image": "Image",
   "Providers.status": "Status",
   "Roles.empty": "You don't have any roles yet.",
   "Roles.empty.search": "No roles match the search.",

package/admin/src/translations/es.json

@@ -54,7 +54,6 @@
   "PopUpForm.header.edit.email-templates": "Editar Plantillas de Email",
   "PopUpForm.header.edit.providers": "Editar proveedor",
   "Providers.data.loaded": "Los proveedores se han cargado",
-  "Providers.image": "Imagen",
   "Providers.status": "Estado",
   "Roles.empty": "Aún no tienes ningún rol.",
   "Roles.empty.search": "Ningún rol coincide con la búsqueda.",

package/admin/src/translations/ko.json

@@ -54,7 +54,6 @@
   "PopUpForm.header.edit.email-templates": "이메일 템플릿 수정",
   "PopUpForm.header.edit.providers": "프로바이더 수정",
   "Providers.data.loaded": "프로바이더를 불러왔습니다.",
-  "Providers.image": "이미지",
   "Providers.status": "상태",
   "Roles.empty": "아직 역할이 없습니다.",
   "Roles.empty.search": "검색과 일치하는 역할이 없습니다.",

package/admin/src/translations/pl.json

@@ -54,7 +54,6 @@
   "PopUpForm.header.edit.email-templates": "Zmień szablony e-mail",
   "PopUpForm.header.edit.providers": "Edytuj dostawcę",
   "Providers.data.loaded": "Dostawcy zostali załadowani",
-  "Providers.image": "Obrazek",
   "Providers.status": "Status",
   "Roles.empty": "Nie masz jeszcze żadnych ról.",
   "Roles.empty.search": "Żadne role nie pasują do wyszukiwania.",

package/admin/src/translations/sv.json

@@ -54,7 +54,6 @@
   "PopUpForm.header.edit.email-templates": "Redigera e-postmallar",
   "PopUpForm.header.edit.providers": "Redigera tjänst",
   "Providers.data.loaded": "Tjänster har laddats in",
-  "Providers.image": "Bild",
   "Providers.status": "Status",
   "Roles.empty": "Du har inga roller än.",
   "Roles.empty.search": "Inga roller matchar sökningen.",

package/admin/src/translations/zh.json

@@ -54,7 +54,6 @@
   "PopUpForm.header.edit.email-templates": "編輯郵件範本",
   "PopUpForm.header.edit.providers": "編輯供應者",
   "Providers.data.loaded": "已載入供應者",
-  "Providers.image": "圖片",
   "Providers.status": "狀態",
   "Roles.empty": "您目前沒有任何角色。",
   "Roles.empty.search": "沒有符合搜尋的角色。",

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@strapi/plugin-users-permissions",
-  "version": "4.5.4",
+  "version": "4.5.6",
   "description": "Protect your API with a full-authentication process based on JWT",
   "repository": {
     "type": "git",
@@ -27,11 +27,11 @@
     "test:front:watch:ce": "cross-env IS_EE=false jest --config ./jest.config.front.js --watchAll"
   },
   "dependencies": {
-    "@strapi/helper-plugin": "4.5.4",
-    "@strapi/utils": "4.5.4",
+    "@strapi/helper-plugin": "4.5.6",
+    "@strapi/utils": "4.5.6",
     "bcryptjs": "2.4.3",
     "grant-koa": "5.4.8",
-    "jsonwebtoken": "^8.1.0",
+    "jsonwebtoken": "9.0.0",
     "koa": "^2.13.4",
     "koa2-ratelimit": "^1.1.2",
     "lodash": "4.17.21",
@@ -64,5 +64,5 @@
     "required": true,
     "kind": "plugin"
   },
-  "gitHead": "8716ecc920130db5341b0904cf868c6e6b581a5d"
+  "gitHead": "d36609ff26fb4e00a41a7e2b657f16c7466203fe"
 }

package/server/controllers/validation/email-template.js

@@ -1,8 +1,17 @@
 'use strict';
 
-const _ = require('lodash');
+const { trim } = require('lodash/fp');
+const {
+  template: { createLooseInterpolationRegExp, createStrictInterpolationRegExp },
+} = require('@strapi/utils');
+
+const invalidPatternsRegexes = [
+  // Ignore "evaluation" patterns: <% ... %>
+  /<%[^=]([\s\S]*?)%>/m,
+  // Ignore basic string interpolations
+  /\${([^{}]*)}/m,
+];
 
-const invalidPatternsRegexes = [/<%[^=]([^<>%]*)%>/m, /\${([^{}]*)}/m];
 const authorizedKeys = [
   'URL',
   'ADMIN_URL',
@@ -19,27 +28,42 @@ const matchAll = (pattern, src) => {
   let match;
 
   const regexPatternWithGlobal = RegExp(pattern, 'g');
+
   // eslint-disable-next-line no-cond-assign
   while ((match = regexPatternWithGlobal.exec(src))) {
     const [, group] = match;
 
-    matches.push(_.trim(group));
+    matches.push(trim(group));
   }
+
   return matches;
 };
 
 const isValidEmailTemplate = (template) => {
+  // Check for known invalid patterns
   for (const reg of invalidPatternsRegexes) {
     if (reg.test(template)) {
       return false;
     }
   }
 
-  const matches = matchAll(/<%=([^<>%=]*)%>/, template);
-  for (const match of matches) {
-    if (!authorizedKeys.includes(match)) {
-      return false;
-    }
+  const interpolation = {
+    // Strict interpolation pattern to match only valid groups
+    strict: createStrictInterpolationRegExp(authorizedKeys),
+    // Weak interpolation pattern to match as many group as possible.
+    loose: createLooseInterpolationRegExp(),
+  };
+
+  // Compute both strict & loose matches
+  const strictMatches = matchAll(interpolation.strict, template);
+  const looseMatches = matchAll(interpolation.loose, template);
+
+  // If we have more matches with the loose RegExp than with the strict one,
+  // then it means that at least one of the interpolation group is invalid
+  // Note: In the future, if we wanted to give more details for error formatting
+  // purposes, we could return the difference between the two arrays
+  if (looseMatches.length > strictMatches.length) {
+    return false;
   }
 
   return true;

package/server/services/user.js

@@ -109,17 +109,25 @@ module.exports = ({ strapi }) => ({
     await this.edit(user.id, { confirmationToken });
 
     const apiPrefix = strapi.config.get('api.rest.prefix');
-    settings.message = await userPermissionService.template(settings.message, {
-      URL: urlJoin(getAbsoluteServerUrl(strapi.config), apiPrefix, '/auth/email-confirmation'),
-      SERVER_URL: getAbsoluteServerUrl(strapi.config),
-      ADMIN_URL: getAbsoluteAdminUrl(strapi.config),
-      USER: sanitizedUserInfo,
-      CODE: confirmationToken,
-    });
 
-    settings.object = await userPermissionService.template(settings.object, {
-      USER: sanitizedUserInfo,
-    });
+    try {
+      settings.message = await userPermissionService.template(settings.message, {
+        URL: urlJoin(getAbsoluteServerUrl(strapi.config), apiPrefix, '/auth/email-confirmation'),
+        SERVER_URL: getAbsoluteServerUrl(strapi.config),
+        ADMIN_URL: getAbsoluteAdminUrl(strapi.config),
+        USER: sanitizedUserInfo,
+        CODE: confirmationToken,
+      });
+
+      settings.object = await userPermissionService.template(settings.object, {
+        USER: sanitizedUserInfo,
+      });
+    } catch {
+      strapi.log.error(
+        '[plugin::users-permissions.sendConfirmationEmail]: Failed to generate a template for "user confirmation email". Please make sure your email template is valid and does not contain invalid characters or patterns'
+      );
+      return;
+    }
 
     // Send an email to the user.
     await strapi

package/server/services/users-permissions.js

@@ -3,6 +3,11 @@
 const _ = require('lodash');
 const { filter, map, pipe, prop } = require('lodash/fp');
 const urlJoin = require('url-join');
+const {
+  template: { createStrictInterpolationRegExp },
+  errors,
+  keysDeep,
+} = require('@strapi/utils');
 
 const { getService } = require('../utils');
 
@@ -230,7 +235,15 @@ module.exports = ({ strapi }) => ({
   },
 
   template(layout, data) {
-    const compiledObject = _.template(layout);
-    return compiledObject(data);
+    const allowedTemplateVariables = keysDeep(data);
+
+    // Create a strict interpolation RegExp based on possible variable names
+    const interpolate = createStrictInterpolationRegExp(allowedTemplateVariables, 'g');
+
+    try {
+      return _.template(layout, { interpolate, evaluate: false, escape: false })(data);
+    } catch (e) {
+      throw new errors.ApplicationError('Invalid email template');
+    }
   },
 });