@tinacms/cli 2.1.6 → 2.1.7

package/dist/index.js

@@ -2,7 +2,7 @@
 import { Cli, Builtins } from "clipanion";
 
 // package.json
-var version = "2.1.6";
+var version = "2.1.7";
 
 // src/next/commands/dev-command/index.ts
 import path8 from "path";
@@ -817,6 +817,14 @@ function stripNativeTrailingSlash(p) {
   }
   return str;
 }
+var PathTraversalError = class extends Error {
+  constructor(attemptedPath) {
+    super(
+      `Path traversal detected: the path "${attemptedPath}" escapes the allowed directory`
+    );
+    this.name = "PathTraversalError";
+  }
+};
 
 // src/next/config-manager.ts
 var TINA_FOLDER = "tina";
@@ -2063,9 +2071,9 @@ import cors from "cors";
 import { resolve as gqlResolve } from "@tinacms/graphql";
 
 // src/next/commands/dev-command/server/media.ts
-import fs5 from "fs-extra";
 import path6, { join } from "path";
 import busboy from "busboy";
+import fs5 from "fs-extra";
 var createMediaRouter = (config2) => {
   const mediaFolder = path6.join(
     config2.rootPath,
@@ -2074,31 +2082,68 @@ var createMediaRouter = (config2) => {
   );
   const mediaModel = new MediaModel(config2);
   const handleList = async (req, res) => {
-    const requestURL = new URL(req.url, config2.apiURL);
-    const folder = requestURL.pathname.replace("/media/list/", "");
-    const limit = requestURL.searchParams.get("limit");
-    const cursor = requestURL.searchParams.get("cursor");
-    const media = await mediaModel.listMedia({
-      searchPath: folder,
-      cursor,
-      limit
-    });
-    res.end(JSON.stringify(media));
+    try {
+      const requestURL = new URL(req.url, config2.apiURL);
+      const folder = decodeURIComponent(
+        requestURL.pathname.replace("/media/list/", "")
+      );
+      const limit = requestURL.searchParams.get("limit");
+      const cursor = requestURL.searchParams.get("cursor");
+      const media = await mediaModel.listMedia({
+        searchPath: folder,
+        cursor,
+        limit
+      });
+      res.end(JSON.stringify(media));
+    } catch (error) {
+      if (error instanceof PathTraversalError) {
+        res.statusCode = 403;
+        res.end(JSON.stringify({ error: error.message }));
+        return;
+      }
+      throw error;
+    }
   };
   const handleDelete = async (req, res) => {
-    const file = decodeURIComponent(req.url.slice("/media/".length));
-    const didDelete = await mediaModel.deleteMedia({ searchPath: file });
-    res.end(JSON.stringify(didDelete));
+    try {
+      const file = decodeURIComponent(req.url.slice("/media/".length));
+      const didDelete = await mediaModel.deleteMedia({ searchPath: file });
+      res.end(JSON.stringify(didDelete));
+    } catch (error) {
+      if (error instanceof PathTraversalError) {
+        res.statusCode = 403;
+        res.end(JSON.stringify({ error: error.message }));
+        return;
+      }
+      throw error;
+    }
   };
   const handlePost = async function(req, res) {
     const bb = busboy({ headers: req.headers });
+    let responded = false;
     bb.on("file", async (_name, file, _info) => {
-      const fullPath = decodeURI(req.url?.slice("/media/upload/".length));
-      const saveTo = path6.join(mediaFolder, ...fullPath.split("/"));
+      const fullPath = decodeURIComponent(
+        req.url?.slice("/media/upload/".length)
+      );
+      let saveTo;
+      try {
+        saveTo = resolveStrictlyWithinBase(fullPath, mediaFolder);
+      } catch {
+        responded = true;
+        file.resume();
+        res.statusCode = 403;
+        res.end(
+          JSON.stringify({
+            error: `Path traversal detected: ${fullPath}`
+          })
+        );
+        return;
+      }
       await fs5.ensureDir(path6.dirname(saveTo));
       file.pipe(fs5.createWriteStream(saveTo));
     });
     bb.on("error", (error) => {
+      responded = true;
       res.statusCode = 500;
       if (error instanceof Error) {
         res.end(JSON.stringify({ message: error }));
@@ -2107,6 +2152,7 @@ var createMediaRouter = (config2) => {
       }
     });
     bb.on("close", () => {
+      if (responded) return;
       res.statusCode = 200;
       res.end(JSON.stringify({ success: true }));
     });
@@ -2121,6 +2167,32 @@ var parseMediaFolder = (str) => {
     returnString = returnString.substr(0, returnString.length - 1);
   return returnString;
 };
+var ENCODED_TRAVERSAL_RE = /%2e%2e|%2f|%5c/i;
+function resolveWithinBase(userPath, baseDir) {
+  if (ENCODED_TRAVERSAL_RE.test(userPath)) {
+    throw new PathTraversalError(userPath);
+  }
+  const resolvedBase = path6.resolve(baseDir);
+  const resolved = path6.resolve(path6.join(baseDir, userPath));
+  if (resolved === resolvedBase) {
+    return resolvedBase;
+  }
+  if (resolved.startsWith(resolvedBase + path6.sep)) {
+    return resolved;
+  }
+  throw new PathTraversalError(userPath);
+}
+function resolveStrictlyWithinBase(userPath, baseDir) {
+  if (ENCODED_TRAVERSAL_RE.test(userPath)) {
+    throw new PathTraversalError(userPath);
+  }
+  const resolvedBase = path6.resolve(baseDir) + path6.sep;
+  const resolved = path6.resolve(path6.join(baseDir, userPath));
+  if (!resolved.startsWith(resolvedBase)) {
+    throw new PathTraversalError(userPath);
+  }
+  return resolved;
+}
 var MediaModel = class {
   rootPath;
   publicFolder;
@@ -2132,22 +2204,18 @@ var MediaModel = class {
   }
   async listMedia(args) {
     try {
-      const folderPath = join(
-        this.rootPath,
-        this.publicFolder,
-        this.mediaRoot,
-        decodeURIComponent(args.searchPath)
-      );
+      const mediaBase = join(this.rootPath, this.publicFolder, this.mediaRoot);
+      const validatedPath = resolveWithinBase(args.searchPath, mediaBase);
       const searchPath = parseMediaFolder(args.searchPath);
-      if (!await fs5.pathExists(folderPath)) {
+      if (!await fs5.pathExists(validatedPath)) {
         return {
           files: [],
           directories: []
         };
       }
-      const filesStr = await fs5.readdir(folderPath);
+      const filesStr = await fs5.readdir(validatedPath);
       const filesProm = filesStr.map(async (file) => {
-        const filePath = join(folderPath, file);
+        const filePath = join(validatedPath, file);
         const stat = await fs5.stat(filePath);
         let src = `/${file}`;
         const isFile = stat.isFile();
@@ -2194,6 +2262,7 @@ var MediaModel = class {
         cursor
       };
     } catch (error) {
+      if (error instanceof PathTraversalError) throw error;
       console.error(error);
       return {
         files: [],
@@ -2204,16 +2273,13 @@ var MediaModel = class {
   }
   async deleteMedia(args) {
     try {
-      const file = join(
-        this.rootPath,
-        this.publicFolder,
-        this.mediaRoot,
-        decodeURIComponent(args.searchPath)
-      );
+      const mediaBase = join(this.rootPath, this.publicFolder, this.mediaRoot);
+      const file = resolveStrictlyWithinBase(args.searchPath, mediaBase);
       await fs5.stat(file);
       await fs5.remove(file);
       return { ok: true };
     } catch (error) {
+      if (error instanceof PathTraversalError) throw error;
       console.error(error);
       return { ok: false, message: error?.toString() };
     }

package/dist/next/commands/dev-command/server/media.d.ts

@@ -1,5 +1,5 @@
-import type { Connect } from 'vite';
 import type { ServerResponse } from 'http';
+import type { Connect } from 'vite';
 export declare const createMediaRouter: (config: PathConfig) => {
     handleList: (req: any, res: any) => Promise<void>;
     handleDelete: (req: Connect.IncomingMessage, res: any) => Promise<void>;
@@ -34,6 +34,23 @@ type SuccessRecord = {
     ok: false;
     message: string;
 };
+/**
+ * Handles media file operations (list, delete) for the Vite-based dev server.
+ *
+ * @security Every method that accepts a user-supplied `searchPath` validates
+ * it against the media root using `resolveWithinBase` (list) or
+ * `resolveStrictlyWithinBase` (delete) before any filesystem access.
+ *
+ * - **list** uses `resolveWithinBase` because listing the media root itself
+ *   (empty path / exact base match) is a valid operation.
+ * - **delete** uses `resolveStrictlyWithinBase` because deleting the media
+ *   root directory itself must never be allowed.
+ *
+ * Both methods catch `PathTraversalError` and re-throw it so that the
+ * route handler can return a 403 response. Other errors are caught and
+ * returned as structured error responses (this avoids leaking stack traces
+ * to the client).
+ */
 export declare class MediaModel {
     readonly rootPath: string;
     readonly publicFolder: string;

package/dist/server/models/media.d.ts

@@ -28,6 +28,23 @@ type SuccessRecord = {
     ok: false;
     message: string;
 };
+/**
+ * Handles media file operations (list, delete) for the Express-based server.
+ *
+ * @security Every method that accepts a user-supplied `searchPath` validates
+ * it against the media root using `resolveWithinBase` (list) or
+ * `resolveStrictlyWithinBase` (delete) before any filesystem access.
+ *
+ * - **list** uses `resolveWithinBase` because listing the media root itself
+ *   (empty path / exact base match) is a valid operation.
+ * - **delete** uses `resolveStrictlyWithinBase` because deleting the media
+ *   root directory itself must never be allowed.
+ *
+ * Both methods catch `PathTraversalError` and re-throw it so that the
+ * route handler can return a 403 response. Other errors are caught and
+ * returned as structured error responses (this avoids leaking stack traces
+ * to the client).
+ */
 export declare class MediaModel {
     readonly rootPath: string;
     readonly publicFolder: string;

package/dist/utils/path.d.ts

@@ -1,3 +1,29 @@
 /** Removes trailing slash from path. Separator to remove is chosen based on
  *  operating system. */
 export declare function stripNativeTrailingSlash(p: string): string;
+/**
+ * Validates that a user-supplied path does not escape the base directory
+ * via path traversal (CWE-22). Returns the resolved absolute path.
+ *
+ * Allows an exact base match (empty or `.` input) — use this for list/read
+ * operations where referencing the root directory itself is valid. For
+ * delete/write operations where you need to target an actual file, use the
+ * `resolveStrictlyWithinBase` variant (currently inlined in media models).
+ *
+ * As a safety net, also rejects paths that still contain URL-encoded
+ * traversal sequences (`%2e%2e`, `%2f`, `%5c`), catching cases where the
+ * caller forgot to decode.
+ *
+ * @security This is the canonical implementation. Inlined copies exist in
+ * the media model files for CodeQL compatibility — keep them in sync.
+ *
+ * @param userPath - The untrusted path from the request (must already be
+ *   URI-decoded by the caller).
+ * @param baseDir  - The trusted base directory the path must stay within.
+ * @returns The resolved absolute path.
+ * @throws {PathTraversalError} If the path escapes the base directory.
+ */
+export declare function assertPathWithinBase(userPath: string, baseDir: string): string;
+export declare class PathTraversalError extends Error {
+    constructor(attemptedPath: string);
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@tinacms/cli",
   "type": "module",
-  "version": "2.1.6",
+  "version": "2.1.7",
   "main": "dist/index.js",
   "typings": "dist/index.d.ts",
   "files": [
@@ -88,12 +88,12 @@
     "vite": "^4.5.9",
     "yup": "^1.6.1",
     "zod": "^3.24.2",
-    "@tinacms/app": "2.3.25",
-    "@tinacms/schema-tools": "2.6.0",
-    "@tinacms/graphql": "2.1.2",
+    "@tinacms/app": "2.3.26",
+    "@tinacms/graphql": "2.1.3",
     "@tinacms/metrics": "2.0.1",
-    "@tinacms/search": "1.2.3",
-    "tinacms": "3.5.0"
+    "@tinacms/schema-tools": "2.6.0",
+    "@tinacms/search": "1.2.4",
+    "tinacms": "3.5.1"
   },
   "publishConfig": {
     "registry": "https://registry.npmjs.org"