@tinacms/cli 2.1.5 → 2.1.7

package/dist/index.js

@@ -2,7 +2,7 @@
 import { Cli, Builtins } from "clipanion";
 
 // package.json
-var version = "2.1.5";
+var version = "2.1.7";
 
 // src/next/commands/dev-command/index.ts
 import path8 from "path";
@@ -417,6 +417,38 @@ var loadGraphQLDocuments = async (globPath) => {
 import { transform } from "esbuild";
 import { mapUserFields } from "@tinacms/graphql";
 import normalizePath from "normalize-path";
+
+// src/next/codegen/stripSearchTokenFromConfig.ts
+function stripSearchTokenFromConfig(config2) {
+  const cfg = config2;
+  if (!cfg?.search) {
+    return config2;
+  }
+  const search = cfg.search;
+  const tina = search?.tina;
+  if (tina) {
+    const { indexerToken, ...safeSearchConfig } = tina;
+    const newConfig = {};
+    for (const key of Object.keys(cfg)) {
+      if (key === "search") {
+        newConfig.search = { tina: safeSearchConfig };
+      } else {
+        newConfig[key] = cfg[key];
+      }
+    }
+    return newConfig;
+  } else {
+    const newConfig = {};
+    for (const key of Object.keys(cfg)) {
+      if (key !== "search") {
+        newConfig[key] = cfg[key];
+      }
+    }
+    return newConfig;
+  }
+}
+
+// src/next/codegen/index.ts
 var TINA_HOST = "content.tinajs.io";
 var Codegen = class {
   configManager;
@@ -487,27 +519,9 @@ var Codegen = class {
       "_graphql.json",
       JSON.stringify(this.graphqlSchemaDoc)
     );
-    const config2 = this.tinaSchema.schema.config;
-    if (config2?.search?.tina) {
-      const { indexerToken, ...safeSearchConfig } = config2.search.tina;
-      const newConfig = {};
-      for (const key of Object.keys(config2)) {
-        if (key === "search") {
-          newConfig.search = { tina: safeSearchConfig };
-        } else {
-          newConfig[key] = config2[key];
-        }
-      }
-      this.tinaSchema.schema.config = newConfig;
-    } else if (config2?.search) {
-      const newConfig = {};
-      for (const key of Object.keys(config2)) {
-        if (key !== "search") {
-          newConfig[key] = config2[key];
-        }
-      }
-      this.tinaSchema.schema.config = newConfig;
-    }
+    this.tinaSchema.schema.config = stripSearchTokenFromConfig(
+      this.tinaSchema.schema.config
+    );
     await this.writeConfigFile(
       "_schema.json",
       JSON.stringify(this.tinaSchema.schema)
@@ -803,6 +817,14 @@ function stripNativeTrailingSlash(p) {
   }
   return str;
 }
+var PathTraversalError = class extends Error {
+  constructor(attemptedPath) {
+    super(
+      `Path traversal detected: the path "${attemptedPath}" escapes the allowed directory`
+    );
+    this.name = "PathTraversalError";
+  }
+};
 
 // src/next/config-manager.ts
 var TINA_FOLDER = "tina";
@@ -1017,13 +1039,15 @@ var ConfigManager = class {
       this.contentRootPath = this.rootPath;
     }
     this.generatedFolderPathContentRepo = path3.join(
-      await this.getTinaFolderPath(this.contentRootPath),
+      await this.getTinaFolderPath(this.contentRootPath, {
+        isContentRoot: this.hasSeparateContentRoot()
+      }),
       GENERATED_FOLDER
     );
     this.spaMainPath = require2.resolve("@tinacms/app");
     this.spaRootPath = path3.join(this.spaMainPath, "..", "..");
   }
-  async getTinaFolderPath(rootPath) {
+  async getTinaFolderPath(rootPath, { isContentRoot } = {}) {
     const tinaFolderPath = path3.join(rootPath, TINA_FOLDER);
     const tinaFolderExists = await fs2.pathExists(tinaFolderPath);
     if (tinaFolderExists) {
@@ -1036,6 +1060,11 @@ var ConfigManager = class {
       this.isUsingLegacyFolder = true;
       return legacyFolderPath;
     }
+    if (isContentRoot) {
+      throw new Error(
+        `Unable to find a ${chalk3.cyan("tina/")} folder in your content root at ${chalk3.cyan(rootPath)}. When using localContentPath, the content directory must contain a ${chalk3.cyan("tina/")} folder for generated files. Create one with: mkdir ${path3.join(rootPath, TINA_FOLDER)}`
+      );
+    }
     throw new Error(
       `Unable to find Tina folder, if you're working in folder outside of the Tina config be sure to specify --rootPath`
     );
@@ -1557,6 +1586,29 @@ import {
   splitVendorChunkPlugin
 } from "vite";
 
+// src/next/vite/filterPublicEnv.ts
+function filterPublicEnv(env = process.env) {
+  const publicEnv = {};
+  Object.keys(env).forEach((key) => {
+    if (key.startsWith("TINA_PUBLIC_") || key.startsWith("NEXT_PUBLIC_") || key === "NODE_ENV" || key === "HEAD") {
+      try {
+        const value = env[key];
+        if (typeof value === "string") {
+          publicEnv[key] = value;
+        } else {
+          publicEnv[key] = JSON.stringify(value);
+        }
+      } catch (error) {
+        console.warn(
+          `Could not stringify public env process.env.${key} env variable`
+        );
+        console.warn(error);
+      }
+    }
+  });
+  return publicEnv;
+}
+
 // src/next/vite/tailwind.ts
 import path4 from "node:path";
 import aspectRatio from "@tailwindcss/aspect-ratio";
@@ -1889,23 +1941,7 @@ var createConfig = async ({
   noWatch,
   rollupOptions
 }) => {
-  const publicEnv = {};
-  Object.keys(process.env).forEach((key) => {
-    if (key.startsWith("TINA_PUBLIC_") || key.startsWith("NEXT_PUBLIC_") || key === "NODE_ENV" || key === "HEAD") {
-      try {
-        if (typeof process.env[key] === "string") {
-          publicEnv[key] = process.env[key];
-        } else {
-          publicEnv[key] = JSON.stringify(process.env[key]);
-        }
-      } catch (error) {
-        console.warn(
-          `Could not stringify public env process.env.${key} env variable`
-        );
-        console.warn(error);
-      }
-    }
-  });
+  const publicEnv = filterPublicEnv();
   const staticMediaPath = path5.join(
     configManager.generatedFolderPath,
     "static-media.json"
@@ -2035,9 +2071,9 @@ import cors from "cors";
 import { resolve as gqlResolve } from "@tinacms/graphql";
 
 // src/next/commands/dev-command/server/media.ts
-import fs5 from "fs-extra";
 import path6, { join } from "path";
 import busboy from "busboy";
+import fs5 from "fs-extra";
 var createMediaRouter = (config2) => {
   const mediaFolder = path6.join(
     config2.rootPath,
@@ -2046,31 +2082,68 @@ var createMediaRouter = (config2) => {
   );
   const mediaModel = new MediaModel(config2);
   const handleList = async (req, res) => {
-    const requestURL = new URL(req.url, config2.apiURL);
-    const folder = requestURL.pathname.replace("/media/list/", "");
-    const limit = requestURL.searchParams.get("limit");
-    const cursor = requestURL.searchParams.get("cursor");
-    const media = await mediaModel.listMedia({
-      searchPath: folder,
-      cursor,
-      limit
-    });
-    res.end(JSON.stringify(media));
+    try {
+      const requestURL = new URL(req.url, config2.apiURL);
+      const folder = decodeURIComponent(
+        requestURL.pathname.replace("/media/list/", "")
+      );
+      const limit = requestURL.searchParams.get("limit");
+      const cursor = requestURL.searchParams.get("cursor");
+      const media = await mediaModel.listMedia({
+        searchPath: folder,
+        cursor,
+        limit
+      });
+      res.end(JSON.stringify(media));
+    } catch (error) {
+      if (error instanceof PathTraversalError) {
+        res.statusCode = 403;
+        res.end(JSON.stringify({ error: error.message }));
+        return;
+      }
+      throw error;
+    }
   };
   const handleDelete = async (req, res) => {
-    const file = decodeURIComponent(req.url.slice("/media/".length));
-    const didDelete = await mediaModel.deleteMedia({ searchPath: file });
-    res.end(JSON.stringify(didDelete));
+    try {
+      const file = decodeURIComponent(req.url.slice("/media/".length));
+      const didDelete = await mediaModel.deleteMedia({ searchPath: file });
+      res.end(JSON.stringify(didDelete));
+    } catch (error) {
+      if (error instanceof PathTraversalError) {
+        res.statusCode = 403;
+        res.end(JSON.stringify({ error: error.message }));
+        return;
+      }
+      throw error;
+    }
   };
   const handlePost = async function(req, res) {
     const bb = busboy({ headers: req.headers });
+    let responded = false;
     bb.on("file", async (_name, file, _info) => {
-      const fullPath = decodeURI(req.url?.slice("/media/upload/".length));
-      const saveTo = path6.join(mediaFolder, ...fullPath.split("/"));
+      const fullPath = decodeURIComponent(
+        req.url?.slice("/media/upload/".length)
+      );
+      let saveTo;
+      try {
+        saveTo = resolveStrictlyWithinBase(fullPath, mediaFolder);
+      } catch {
+        responded = true;
+        file.resume();
+        res.statusCode = 403;
+        res.end(
+          JSON.stringify({
+            error: `Path traversal detected: ${fullPath}`
+          })
+        );
+        return;
+      }
       await fs5.ensureDir(path6.dirname(saveTo));
       file.pipe(fs5.createWriteStream(saveTo));
     });
     bb.on("error", (error) => {
+      responded = true;
       res.statusCode = 500;
       if (error instanceof Error) {
         res.end(JSON.stringify({ message: error }));
@@ -2079,6 +2152,7 @@ var createMediaRouter = (config2) => {
       }
     });
     bb.on("close", () => {
+      if (responded) return;
       res.statusCode = 200;
       res.end(JSON.stringify({ success: true }));
     });
@@ -2093,6 +2167,32 @@ var parseMediaFolder = (str) => {
     returnString = returnString.substr(0, returnString.length - 1);
   return returnString;
 };
+var ENCODED_TRAVERSAL_RE = /%2e%2e|%2f|%5c/i;
+function resolveWithinBase(userPath, baseDir) {
+  if (ENCODED_TRAVERSAL_RE.test(userPath)) {
+    throw new PathTraversalError(userPath);
+  }
+  const resolvedBase = path6.resolve(baseDir);
+  const resolved = path6.resolve(path6.join(baseDir, userPath));
+  if (resolved === resolvedBase) {
+    return resolvedBase;
+  }
+  if (resolved.startsWith(resolvedBase + path6.sep)) {
+    return resolved;
+  }
+  throw new PathTraversalError(userPath);
+}
+function resolveStrictlyWithinBase(userPath, baseDir) {
+  if (ENCODED_TRAVERSAL_RE.test(userPath)) {
+    throw new PathTraversalError(userPath);
+  }
+  const resolvedBase = path6.resolve(baseDir) + path6.sep;
+  const resolved = path6.resolve(path6.join(baseDir, userPath));
+  if (!resolved.startsWith(resolvedBase)) {
+    throw new PathTraversalError(userPath);
+  }
+  return resolved;
+}
 var MediaModel = class {
   rootPath;
   publicFolder;
@@ -2104,22 +2204,18 @@ var MediaModel = class {
   }
   async listMedia(args) {
     try {
-      const folderPath = join(
-        this.rootPath,
-        this.publicFolder,
-        this.mediaRoot,
-        decodeURIComponent(args.searchPath)
-      );
+      const mediaBase = join(this.rootPath, this.publicFolder, this.mediaRoot);
+      const validatedPath = resolveWithinBase(args.searchPath, mediaBase);
       const searchPath = parseMediaFolder(args.searchPath);
-      if (!await fs5.pathExists(folderPath)) {
+      if (!await fs5.pathExists(validatedPath)) {
         return {
           files: [],
           directories: []
         };
       }
-      const filesStr = await fs5.readdir(folderPath);
+      const filesStr = await fs5.readdir(validatedPath);
       const filesProm = filesStr.map(async (file) => {
-        const filePath = join(folderPath, file);
+        const filePath = join(validatedPath, file);
         const stat = await fs5.stat(filePath);
         let src = `/${file}`;
         const isFile = stat.isFile();
@@ -2166,6 +2262,7 @@ var MediaModel = class {
         cursor
       };
     } catch (error) {
+      if (error instanceof PathTraversalError) throw error;
       console.error(error);
       return {
         files: [],
@@ -2176,16 +2273,13 @@ var MediaModel = class {
   }
   async deleteMedia(args) {
     try {
-      const file = join(
-        this.rootPath,
-        this.publicFolder,
-        this.mediaRoot,
-        decodeURIComponent(args.searchPath)
-      );
+      const mediaBase = join(this.rootPath, this.publicFolder, this.mediaRoot);
+      const file = resolveStrictlyWithinBase(args.searchPath, mediaBase);
       await fs5.stat(file);
       await fs5.remove(file);
       return { ok: true };
     } catch (error) {
+      if (error instanceof PathTraversalError) throw error;
       console.error(error);
       return { ok: false, message: error?.toString() };
     }
@@ -2555,7 +2649,8 @@ var DevCommand = class extends BaseCommand {
           );
           if (configManager.hasSeparateContentRoot()) {
             const rootPath = await configManager.getTinaFolderPath(
-              configManager.contentRootPath
+              configManager.contentRootPath,
+              { isContentRoot: true }
             );
             const filePath = path8.join(rootPath, tinaLockFilename);
             await fs7.ensureFile(filePath);
@@ -2731,6 +2826,13 @@ ${dangerText(e.message)}
         // },
       ]
     });
+    if (configManager?.config?.telemetry === "anonymous") {
+      logger.info(
+        `
+\u{1F4CA} Note: TinaCMS now collects anonymous telemetry regarding usage. More information on TinaCMS Telemetry: https://tina.io/telemetry
+`
+      );
+    }
     await this.startSubCommand();
   }
   watchContentFiles(configManager, database, databaseLock, searchIndexer) {
@@ -2831,23 +2933,6 @@ async function sleepAndCallFunc({
 // src/next/commands/build-command/server.ts
 import { build as build2 } from "vite";
 var buildProductionSpa = async (configManager, database, apiURL) => {
-  const publicEnv = {};
-  Object.keys(process.env).forEach((key) => {
-    if (key.startsWith("TINA_PUBLIC_") || key.startsWith("NEXT_PUBLIC_") || key === "NODE_ENV" || key === "HEAD") {
-      try {
-        if (typeof process.env[key] === "string") {
-          publicEnv[key] = process.env[key];
-        } else {
-          publicEnv[key] = JSON.stringify(process.env[key]);
-        }
-      } catch (error) {
-        console.warn(
-          `Could not stringify public env process.env.${key} env variable`
-        );
-        console.warn(error);
-      }
-    }
-  });
   const config2 = await createConfig({
     plugins: [transformTsxPlugin({ configManager }), viteTransformExtension()],
     configManager,

package/dist/next/codegen/stripSearchTokenFromConfig.d.ts

@@ -0,0 +1,7 @@
+/**
+ * Strips `indexerToken` from `search.tina` before serialization to
+ * _schema.json / tina-lock.json.
+ *
+ * @see https://github.com/tinacms/tinacms/security/advisories/GHSA-4qrm-9h4r-v2fx
+ */
+export declare function stripSearchTokenFromConfig<T extends object>(config: T): T;

package/dist/next/commands/dev-command/server/media.d.ts

@@ -1,5 +1,5 @@
-import type { Connect } from 'vite';
 import type { ServerResponse } from 'http';
+import type { Connect } from 'vite';
 export declare const createMediaRouter: (config: PathConfig) => {
     handleList: (req: any, res: any) => Promise<void>;
     handleDelete: (req: Connect.IncomingMessage, res: any) => Promise<void>;
@@ -34,6 +34,23 @@ type SuccessRecord = {
     ok: false;
     message: string;
 };
+/**
+ * Handles media file operations (list, delete) for the Vite-based dev server.
+ *
+ * @security Every method that accepts a user-supplied `searchPath` validates
+ * it against the media root using `resolveWithinBase` (list) or
+ * `resolveStrictlyWithinBase` (delete) before any filesystem access.
+ *
+ * - **list** uses `resolveWithinBase` because listing the media root itself
+ *   (empty path / exact base match) is a valid operation.
+ * - **delete** uses `resolveStrictlyWithinBase` because deleting the media
+ *   root directory itself must never be allowed.
+ *
+ * Both methods catch `PathTraversalError` and re-throw it so that the
+ * route handler can return a 403 response. Other errors are caught and
+ * returned as structured error responses (this avoids leaking stack traces
+ * to the client).
+ */
 export declare class MediaModel {
     readonly rootPath: string;
     readonly publicFolder: string;

package/dist/next/config-manager.d.ts

@@ -54,7 +54,9 @@ export declare class ConfigManager {
     hasSeparateContentRoot(): boolean;
     shouldSkipSDK(): boolean;
     processConfig(): Promise<void>;
-    getTinaFolderPath(rootPath: any): Promise<string>;
+    getTinaFolderPath(rootPath: string, { isContentRoot }?: {
+        isContentRoot?: boolean;
+    }): Promise<string>;
     getTinaGraphQLVersion(): {
         fullVersion: string;
         major: string;

package/dist/next/vite/filterPublicEnv.d.ts

@@ -0,0 +1,9 @@
+/**
+ * Filters env vars to only those safe for client-side bundles.
+ *
+ * Allows: TINA_PUBLIC_*, NEXT_PUBLIC_*, NODE_ENV, HEAD.
+ * Everything else is excluded to prevent leaking secrets.
+ *
+ * @see https://github.com/tinacms/tinacms/security/advisories/GHSA-pc2q-jcxq-rjrr
+ */
+export declare function filterPublicEnv(env?: Record<string, string | undefined>): Record<string, string>;

package/dist/server/models/media.d.ts

@@ -28,6 +28,23 @@ type SuccessRecord = {
     ok: false;
     message: string;
 };
+/**
+ * Handles media file operations (list, delete) for the Express-based server.
+ *
+ * @security Every method that accepts a user-supplied `searchPath` validates
+ * it against the media root using `resolveWithinBase` (list) or
+ * `resolveStrictlyWithinBase` (delete) before any filesystem access.
+ *
+ * - **list** uses `resolveWithinBase` because listing the media root itself
+ *   (empty path / exact base match) is a valid operation.
+ * - **delete** uses `resolveStrictlyWithinBase` because deleting the media
+ *   root directory itself must never be allowed.
+ *
+ * Both methods catch `PathTraversalError` and re-throw it so that the
+ * route handler can return a 403 response. Other errors are caught and
+ * returned as structured error responses (this avoids leaking stack traces
+ * to the client).
+ */
 export declare class MediaModel {
     readonly rootPath: string;
     readonly publicFolder: string;

package/dist/utils/path.d.ts

@@ -1,3 +1,29 @@
 /** Removes trailing slash from path. Separator to remove is chosen based on
  *  operating system. */
 export declare function stripNativeTrailingSlash(p: string): string;
+/**
+ * Validates that a user-supplied path does not escape the base directory
+ * via path traversal (CWE-22). Returns the resolved absolute path.
+ *
+ * Allows an exact base match (empty or `.` input) — use this for list/read
+ * operations where referencing the root directory itself is valid. For
+ * delete/write operations where you need to target an actual file, use the
+ * `resolveStrictlyWithinBase` variant (currently inlined in media models).
+ *
+ * As a safety net, also rejects paths that still contain URL-encoded
+ * traversal sequences (`%2e%2e`, `%2f`, `%5c`), catching cases where the
+ * caller forgot to decode.
+ *
+ * @security This is the canonical implementation. Inlined copies exist in
+ * the media model files for CodeQL compatibility — keep them in sync.
+ *
+ * @param userPath - The untrusted path from the request (must already be
+ *   URI-decoded by the caller).
+ * @param baseDir  - The trusted base directory the path must stay within.
+ * @returns The resolved absolute path.
+ * @throws {PathTraversalError} If the path escapes the base directory.
+ */
+export declare function assertPathWithinBase(userPath: string, baseDir: string): string;
+export declare class PathTraversalError extends Error {
+    constructor(attemptedPath: string);
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@tinacms/cli",
   "type": "module",
-  "version": "2.1.5",
+  "version": "2.1.7",
   "main": "dist/index.js",
   "typings": "dist/index.d.ts",
   "files": [
@@ -41,7 +41,7 @@
     "@types/progress": "^2.0.7",
     "@types/prompts": "^2.4.9",
     "jest": "^29.7.0",
-    "@tinacms/scripts": "1.4.2"
+    "@tinacms/scripts": "1.5.0"
   },
   "dependencies": {
     "@graphql-codegen/core": "^2.6.8",
@@ -88,12 +88,12 @@
     "vite": "^4.5.9",
     "yup": "^1.6.1",
     "zod": "^3.24.2",
-    "@tinacms/app": "2.3.24",
-    "@tinacms/graphql": "2.1.1",
+    "@tinacms/app": "2.3.26",
+    "@tinacms/graphql": "2.1.3",
     "@tinacms/metrics": "2.0.1",
-    "@tinacms/schema-tools": "2.5.0",
-    "@tinacms/search": "1.2.2",
-    "tinacms": "3.4.1"
+    "@tinacms/schema-tools": "2.6.0",
+    "@tinacms/search": "1.2.4",
+    "tinacms": "3.5.1"
   },
   "publishConfig": {
     "registry": "https://registry.npmjs.org"