@tinacms/cli 2.1.6 → 2.1.8

package/dist/index.js

@@ -2,7 +2,7 @@
 import { Cli, Builtins } from "clipanion";
 
 // package.json
-var version = "2.1.6";
+var version = "2.1.8";
 
 // src/next/commands/dev-command/index.ts
 import path8 from "path";
@@ -817,6 +817,14 @@ function stripNativeTrailingSlash(p) {
   }
   return str;
 }
+var PathTraversalError = class extends Error {
+  constructor(attemptedPath) {
+    super(
+      `Path traversal detected: the path "${attemptedPath}" escapes the allowed directory`
+    );
+    this.name = "PathTraversalError";
+  }
+};
 
 // src/next/config-manager.ts
 var TINA_FOLDER = "tina";
@@ -1247,15 +1255,15 @@ var loaders = {
 };
 
 // src/next/database.ts
+import { createServer } from "net";
 import {
-  createDatabaseInternal,
   FilesystemBridge,
-  TinaLevelClient
+  TinaLevelClient,
+  createDatabaseInternal
 } from "@tinacms/graphql";
-import { pipeline } from "readable-stream";
-import { createServer } from "net";
 import { ManyLevelHost } from "many-level";
 import { MemoryLevel } from "memory-level";
+import { pipeline } from "readable-stream";
 var createDBServer = (port) => {
   const levelHost = new ManyLevelHost(
     // @ts-ignore
@@ -1274,7 +1282,7 @@ var createDBServer = (port) => {
       );
     }
   });
-  dbServer.listen(port);
+  dbServer.listen(port, "localhost");
 };
 async function createAndInitializeDatabase(configManager, datalayerPort, bridgeOverride) {
   let database;
@@ -1578,6 +1586,43 @@ import {
   splitVendorChunkPlugin
 } from "vite";
 
+// src/next/vite/cors.ts
+var LOCALHOST_RE = /^https?:\/\/(?:localhost|127\.0\.0\.1|\[::1\])(:\d+)?$/;
+var PRIVATE_NETWORK_RE = /^https?:\/\/(?:10\.\d{1,3}\.\d{1,3}\.\d{1,3}|172\.(?:1[6-9]|2\d|3[01])\.\d{1,3}\.\d{1,3}|192\.168\.\d{1,3}\.\d{1,3})(:\d+)?$/;
+function expandOrigins(raw) {
+  const hasPrivate = raw.some((o) => o === "private");
+  const filtered = raw.filter((o) => o !== "private");
+  return hasPrivate ? [...filtered, PRIVATE_NETWORK_RE] : filtered;
+}
+function buildCorsOriginCheck(allowedOrigins = []) {
+  const extra = expandOrigins(allowedOrigins);
+  return (origin, callback) => {
+    if (!origin) {
+      callback(null, true);
+      return;
+    }
+    if (LOCALHOST_RE.test(origin)) {
+      callback(null, true);
+      return;
+    }
+    for (const allowed of extra) {
+      if (typeof allowed === "string") {
+        if (allowed === origin) {
+          callback(null, true);
+          return;
+        }
+      } else {
+        allowed.lastIndex = 0;
+        if (allowed.test(origin)) {
+          callback(null, true);
+          return;
+        }
+      }
+    }
+    callback(null, false);
+  };
+}
+
 // src/next/vite/filterPublicEnv.ts
 function filterPublicEnv(env = process.env) {
   const publicEnv = {};
@@ -2014,6 +2059,13 @@ var createConfig = async ({
     },
     server: {
       host: configManager.config?.build?.host ?? false,
+      // Restrict Vite's built-in CORS to the same origins our custom
+      // middleware allows (localhost + user-configured allowedOrigins).
+      cors: {
+        origin: buildCorsOriginCheck(
+          configManager.config?.server?.allowedOrigins
+        )
+      },
       watch: noWatch ? {
         ignored: ["**/*"]
       } : {
@@ -2023,7 +2075,15 @@ var createConfig = async ({
         ]
       },
       fs: {
-        strict: false
+        strict: true,
+        // Allow serving files from the project root and the SPA package.
+        // Without this, Vite would block access to tina config/generated
+        // files since the Vite root is the @tinacms/app package directory.
+        allow: [
+          configManager.spaRootPath,
+          configManager.rootPath,
+          ...configManager.contentRootPath && configManager.contentRootPath !== configManager.rootPath ? [configManager.contentRootPath] : []
+        ]
       }
     },
     build: {
@@ -2053,19 +2113,19 @@ var createConfig = async ({
 };
 
 // src/next/vite/plugins.ts
-import { createFilter } from "@rollup/pluginutils";
 import fs6 from "fs";
-import { transformWithEsbuild } from "vite";
-import { transform as esbuildTransform } from "esbuild";
 import path7 from "path";
+import { createFilter } from "@rollup/pluginutils";
+import { resolve as gqlResolve } from "@tinacms/graphql";
 import bodyParser from "body-parser";
 import cors from "cors";
-import { resolve as gqlResolve } from "@tinacms/graphql";
+import { transform as esbuildTransform } from "esbuild";
+import { transformWithEsbuild } from "vite";
 
 // src/next/commands/dev-command/server/media.ts
-import fs5 from "fs-extra";
 import path6, { join } from "path";
 import busboy from "busboy";
+import fs5 from "fs-extra";
 var createMediaRouter = (config2) => {
   const mediaFolder = path6.join(
     config2.rootPath,
@@ -2074,31 +2134,68 @@ var createMediaRouter = (config2) => {
   );
   const mediaModel = new MediaModel(config2);
   const handleList = async (req, res) => {
-    const requestURL = new URL(req.url, config2.apiURL);
-    const folder = requestURL.pathname.replace("/media/list/", "");
-    const limit = requestURL.searchParams.get("limit");
-    const cursor = requestURL.searchParams.get("cursor");
-    const media = await mediaModel.listMedia({
-      searchPath: folder,
-      cursor,
-      limit
-    });
-    res.end(JSON.stringify(media));
+    try {
+      const requestURL = new URL(req.url, config2.apiURL);
+      const folder = decodeURIComponent(
+        requestURL.pathname.replace("/media/list/", "")
+      );
+      const limit = requestURL.searchParams.get("limit");
+      const cursor = requestURL.searchParams.get("cursor");
+      const media = await mediaModel.listMedia({
+        searchPath: folder,
+        cursor,
+        limit
+      });
+      res.end(JSON.stringify(media));
+    } catch (error) {
+      if (error instanceof PathTraversalError) {
+        res.statusCode = 403;
+        res.end(JSON.stringify({ error: error.message }));
+        return;
+      }
+      throw error;
+    }
   };
   const handleDelete = async (req, res) => {
-    const file = decodeURIComponent(req.url.slice("/media/".length));
-    const didDelete = await mediaModel.deleteMedia({ searchPath: file });
-    res.end(JSON.stringify(didDelete));
+    try {
+      const file = decodeURIComponent(req.url.slice("/media/".length));
+      const didDelete = await mediaModel.deleteMedia({ searchPath: file });
+      res.end(JSON.stringify(didDelete));
+    } catch (error) {
+      if (error instanceof PathTraversalError) {
+        res.statusCode = 403;
+        res.end(JSON.stringify({ error: error.message }));
+        return;
+      }
+      throw error;
+    }
   };
   const handlePost = async function(req, res) {
     const bb = busboy({ headers: req.headers });
+    let responded = false;
     bb.on("file", async (_name, file, _info) => {
-      const fullPath = decodeURI(req.url?.slice("/media/upload/".length));
-      const saveTo = path6.join(mediaFolder, ...fullPath.split("/"));
+      const fullPath = decodeURIComponent(
+        req.url?.slice("/media/upload/".length)
+      );
+      let saveTo;
+      try {
+        saveTo = resolveStrictlyWithinBase(fullPath, mediaFolder);
+      } catch {
+        responded = true;
+        file.resume();
+        res.statusCode = 403;
+        res.end(
+          JSON.stringify({
+            error: `Path traversal detected: ${fullPath}`
+          })
+        );
+        return;
+      }
       await fs5.ensureDir(path6.dirname(saveTo));
       file.pipe(fs5.createWriteStream(saveTo));
     });
     bb.on("error", (error) => {
+      responded = true;
       res.statusCode = 500;
       if (error instanceof Error) {
         res.end(JSON.stringify({ message: error }));
@@ -2107,6 +2204,7 @@ var createMediaRouter = (config2) => {
       }
     });
     bb.on("close", () => {
+      if (responded) return;
       res.statusCode = 200;
       res.end(JSON.stringify({ success: true }));
     });
@@ -2121,6 +2219,32 @@ var parseMediaFolder = (str) => {
     returnString = returnString.substr(0, returnString.length - 1);
   return returnString;
 };
+var ENCODED_TRAVERSAL_RE = /%2e%2e|%2f|%5c/i;
+function resolveWithinBase(userPath, baseDir) {
+  if (ENCODED_TRAVERSAL_RE.test(userPath)) {
+    throw new PathTraversalError(userPath);
+  }
+  const resolvedBase = path6.resolve(baseDir);
+  const resolved = path6.resolve(path6.join(baseDir, userPath));
+  if (resolved === resolvedBase) {
+    return resolvedBase;
+  }
+  if (resolved.startsWith(resolvedBase + path6.sep)) {
+    return resolved;
+  }
+  throw new PathTraversalError(userPath);
+}
+function resolveStrictlyWithinBase(userPath, baseDir) {
+  if (ENCODED_TRAVERSAL_RE.test(userPath)) {
+    throw new PathTraversalError(userPath);
+  }
+  const resolvedBase = path6.resolve(baseDir) + path6.sep;
+  const resolved = path6.resolve(path6.join(baseDir, userPath));
+  if (!resolved.startsWith(resolvedBase)) {
+    throw new PathTraversalError(userPath);
+  }
+  return resolved;
+}
 var MediaModel = class {
   rootPath;
   publicFolder;
@@ -2132,22 +2256,18 @@ var MediaModel = class {
   }
   async listMedia(args) {
     try {
-      const folderPath = join(
-        this.rootPath,
-        this.publicFolder,
-        this.mediaRoot,
-        decodeURIComponent(args.searchPath)
-      );
+      const mediaBase = join(this.rootPath, this.publicFolder, this.mediaRoot);
+      const validatedPath = resolveWithinBase(args.searchPath, mediaBase);
       const searchPath = parseMediaFolder(args.searchPath);
-      if (!await fs5.pathExists(folderPath)) {
+      if (!await fs5.pathExists(validatedPath)) {
         return {
           files: [],
           directories: []
         };
       }
-      const filesStr = await fs5.readdir(folderPath);
+      const filesStr = await fs5.readdir(validatedPath);
       const filesProm = filesStr.map(async (file) => {
-        const filePath = join(folderPath, file);
+        const filePath = join(validatedPath, file);
         const stat = await fs5.stat(filePath);
         let src = `/${file}`;
         const isFile = stat.isFile();
@@ -2194,6 +2314,7 @@ var MediaModel = class {
         cursor
       };
     } catch (error) {
+      if (error instanceof PathTraversalError) throw error;
       console.error(error);
       return {
         files: [],
@@ -2204,16 +2325,13 @@ var MediaModel = class {
   }
   async deleteMedia(args) {
     try {
-      const file = join(
-        this.rootPath,
-        this.publicFolder,
-        this.mediaRoot,
-        decodeURIComponent(args.searchPath)
-      );
+      const mediaBase = join(this.rootPath, this.publicFolder, this.mediaRoot);
+      const file = resolveStrictlyWithinBase(args.searchPath, mediaBase);
       await fs5.stat(file);
       await fs5.remove(file);
       return { ok: true };
     } catch (error) {
+      if (error instanceof PathTraversalError) throw error;
       console.error(error);
       return { ok: false, message: error?.toString() };
     }
@@ -2336,10 +2454,18 @@ var devServerEndPointsPlugin = ({
   searchIndex,
   databaseLock
 }) => {
+  const corsOriginCheck = buildCorsOriginCheck(
+    configManager.config?.server?.allowedOrigins
+  );
   const plug = {
     name: "graphql-endpoints",
     configureServer(server) {
-      server.middlewares.use(cors());
+      server.middlewares.use(
+        cors({
+          origin: corsOriginCheck,
+          methods: ["GET", "HEAD", "PUT", "PATCH", "POST", "DELETE"]
+        })
+      );
       server.middlewares.use(bodyParser.json({ limit: "5mb" }));
       server.middlewares.use(async (req, res, next) => {
         const mediaPaths = configManager.config.media?.tina;
@@ -5806,6 +5932,12 @@ import { LocalAuthProvider } from "tinacms";`;
       outputFolder: "admin",
       publicFolder: "${args.publicFolder}",
     },
+    // Uncomment to allow cross-origin requests from non-localhost origins
+    // during local development (e.g. GitHub Codespaces, Gitpod, Docker).
+    // Use 'private' to allow all private-network IPs (WSL2, Docker, etc.)
+    // server: {
+    //   allowedOrigins: ['https://your-codespace.github.dev'],
+    // },
     media: {
       tina: {
         mediaRoot: "",

package/dist/next/commands/dev-command/server/media.d.ts

@@ -1,5 +1,5 @@
-import type { Connect } from 'vite';
 import type { ServerResponse } from 'http';
+import type { Connect } from 'vite';
 export declare const createMediaRouter: (config: PathConfig) => {
     handleList: (req: any, res: any) => Promise<void>;
     handleDelete: (req: Connect.IncomingMessage, res: any) => Promise<void>;
@@ -34,6 +34,23 @@ type SuccessRecord = {
     ok: false;
     message: string;
 };
+/**
+ * Handles media file operations (list, delete) for the Vite-based dev server.
+ *
+ * @security Every method that accepts a user-supplied `searchPath` validates
+ * it against the media root using `resolveWithinBase` (list) or
+ * `resolveStrictlyWithinBase` (delete) before any filesystem access.
+ *
+ * - **list** uses `resolveWithinBase` because listing the media root itself
+ *   (empty path / exact base match) is a valid operation.
+ * - **delete** uses `resolveStrictlyWithinBase` because deleting the media
+ *   root directory itself must never be allowed.
+ *
+ * Both methods catch `PathTraversalError` and re-throw it so that the
+ * route handler can return a 403 response. Other errors are caught and
+ * returned as structured error responses (this avoids leaking stack traces
+ * to the client).
+ */
 export declare class MediaModel {
     readonly rootPath: string;
     readonly publicFolder: string;

package/dist/next/database.d.ts

@@ -1,4 +1,4 @@
-import { Database, Bridge } from '@tinacms/graphql';
+import { Bridge, Database } from '@tinacms/graphql';
 import { ConfigManager } from './config-manager';
 export declare const createDBServer: (port: number) => void;
 export declare function createAndInitializeDatabase(configManager: ConfigManager, datalayerPort: number, bridgeOverride?: Bridge): Promise<Database>;

package/dist/next/vite/cors.d.ts

@@ -0,0 +1,13 @@
+/**
+ * Shared CORS origin-checking logic for the TinaCMS dev server.
+ *
+ * By default only localhost / 127.0.0.1 / [::1] (any port) are allowed.
+ * Users can extend this via `server.allowedOrigins` in their tina config.
+ * The special keyword `'private'` expands to all RFC 1918 private-network
+ * IP ranges (10.x, 172.16-31.x, 192.168.x) — useful for WSL2, Docker
+ * bridge networks, etc.
+ */
+/**
+ * Build a CORS `origin` callback compatible with the `cors` npm package.
+ */
+export declare function buildCorsOriginCheck(allowedOrigins?: (string | RegExp)[]): (origin: string | undefined, callback: (err: Error | null, allow?: boolean) => void) => void;

package/dist/next/vite/plugins.d.ts

@@ -1,8 +1,8 @@
-import type { Plugin } from 'vite';
 import { FilterPattern } from '@rollup/pluginutils';
 import type { Config } from '@svgr/core';
-import { transformWithEsbuild } from 'vite';
 import type { Database } from '@tinacms/graphql';
+import type { Plugin } from 'vite';
+import { transformWithEsbuild } from 'vite';
 import type { ConfigManager } from '../config-manager';
 export declare const transformTsxPlugin: ({ configManager: _configManager, }: {
     configManager: ConfigManager;

package/dist/server/models/media.d.ts

@@ -28,6 +28,23 @@ type SuccessRecord = {
     ok: false;
     message: string;
 };
+/**
+ * Handles media file operations (list, delete) for the Express-based server.
+ *
+ * @security Every method that accepts a user-supplied `searchPath` validates
+ * it against the media root using `resolveWithinBase` (list) or
+ * `resolveStrictlyWithinBase` (delete) before any filesystem access.
+ *
+ * - **list** uses `resolveWithinBase` because listing the media root itself
+ *   (empty path / exact base match) is a valid operation.
+ * - **delete** uses `resolveStrictlyWithinBase` because deleting the media
+ *   root directory itself must never be allowed.
+ *
+ * Both methods catch `PathTraversalError` and re-throw it so that the
+ * route handler can return a 403 response. Other errors are caught and
+ * returned as structured error responses (this avoids leaking stack traces
+ * to the client).
+ */
 export declare class MediaModel {
     readonly rootPath: string;
     readonly publicFolder: string;

package/dist/utils/path.d.ts

@@ -1,3 +1,29 @@
 /** Removes trailing slash from path. Separator to remove is chosen based on
  *  operating system. */
 export declare function stripNativeTrailingSlash(p: string): string;
+/**
+ * Validates that a user-supplied path does not escape the base directory
+ * via path traversal (CWE-22). Returns the resolved absolute path.
+ *
+ * Allows an exact base match (empty or `.` input) — use this for list/read
+ * operations where referencing the root directory itself is valid. For
+ * delete/write operations where you need to target an actual file, use the
+ * `resolveStrictlyWithinBase` variant (currently inlined in media models).
+ *
+ * As a safety net, also rejects paths that still contain URL-encoded
+ * traversal sequences (`%2e%2e`, `%2f`, `%5c`), catching cases where the
+ * caller forgot to decode.
+ *
+ * @security This is the canonical implementation. Inlined copies exist in
+ * the media model files for CodeQL compatibility — keep them in sync.
+ *
+ * @param userPath - The untrusted path from the request (must already be
+ *   URI-decoded by the caller).
+ * @param baseDir  - The trusted base directory the path must stay within.
+ * @returns The resolved absolute path.
+ * @throws {PathTraversalError} If the path escapes the base directory.
+ */
+export declare function assertPathWithinBase(userPath: string, baseDir: string): string;
+export declare class PathTraversalError extends Error {
+    constructor(attemptedPath: string);
+}

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@tinacms/cli",
   "type": "module",
-  "version": "2.1.6",
+  "version": "2.1.8",
   "main": "dist/index.js",
   "typings": "dist/index.d.ts",
   "files": [
@@ -88,12 +88,12 @@
     "vite": "^4.5.9",
     "yup": "^1.6.1",
     "zod": "^3.24.2",
-    "@tinacms/app": "2.3.25",
-    "@tinacms/schema-tools": "2.6.0",
-    "@tinacms/graphql": "2.1.2",
+    "@tinacms/app": "2.3.27",
+    "@tinacms/graphql": "2.1.4",
     "@tinacms/metrics": "2.0.1",
-    "@tinacms/search": "1.2.3",
-    "tinacms": "3.5.0"
+    "@tinacms/schema-tools": "2.7.0",
+    "@tinacms/search": "1.2.5",
+    "tinacms": "3.6.0"
   },
   "publishConfig": {
     "registry": "https://registry.npmjs.org"