npm - @tinacms/graphql - Versions diffs - 2.1.0 → 2.1.2 - Mend

@tinacms/graphql 2.1.0 → 2.1.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -3026,7 +3026,7 @@ var validateField = async (field) => {
 var package_default = {
   name: "@tinacms/graphql",
   type: "module",
-  version: "2.1.0",
+  version: "2.1.2",
   main: "dist/index.js",
   module: "./dist/index.js",
   files: [
@@ -5100,8 +5100,10 @@ var Resolver = class {
     relativePath,
     templateName
   }) => {
-    const collection = this.getCollectionWithName(collectionName);
-    const realPath = path3.join(collection.path, relativePath);
+    const { collection, realPath } = this.getValidatedPath(
+      collectionName,
+      relativePath
+    );
     const alreadyExists = await this.database.documentExists(realPath);
     if (alreadyExists) {
       throw new Error(`Unable to add document, ${realPath} already exists`);
@@ -5178,6 +5180,58 @@ var Resolver = class {
     }
     return this.tinaSchema.getCollection(collectionName);
   };
+  /**
+   * validatePath ensures that the provided path remains within the boundaries
+   * of the collection's directory and that the file extension matches the
+   * collection's configured format. This is a critical security check to prevent
+   * path traversal attacks where a user might attempt to read or write files
+   * outside of the intended collection.
+   */
+  validatePath = (fullPath, collection, relativePath) => {
+    const normalizedPath = path3.normalize(fullPath);
+    const normalizedCollectionPath = path3.normalize(collection.path);
+    const relative = path3.relative(normalizedCollectionPath, normalizedPath);
+    if (relative.startsWith("..")) {
+      throw new Error(`Invalid path: path escapes the collection directory`);
+    }
+    if (path3.isAbsolute(relative)) {
+      throw new Error(`Invalid path: absolute paths are not allowed`);
+    }
+    if (relativePath) {
+      const collectionFormat = collection.format || "md";
+      const fileExtension = path3.extname(relativePath).toLowerCase().slice(1);
+      if (fileExtension !== collectionFormat) {
+        throw new Error(
+          `Invalid file extension: expected '.${collectionFormat}' but got '.${fileExtension}'`
+        );
+      }
+    }
+  };
+  /**
+   * Helper method to get collection and construct validated path.
+   * This encapsulates the common pattern of getting a collection, joining paths,
+   * and validating the result, ensuring security checks are always performed.
+   *
+   * @param collectionName - Name of the collection
+   * @param relativePath - Relative path within the collection
+   * @param options - Optional configuration
+   * @returns Object containing the collection and validated real path
+   */
+  getValidatedPath = (collectionName, relativePath, options) => {
+    const collection = this.getCollectionWithName(collectionName);
+    const pathSegments = [collection.path, relativePath];
+    if (options?.extraSegments) {
+      pathSegments.push(...options.extraSegments);
+    }
+    const realPath = path3.join(...pathSegments);
+    const shouldValidateExtension = options?.validateExtension !== false;
+    this.validatePath(
+      realPath,
+      collection,
+      shouldValidateExtension ? relativePath : void 0
+    );
+    return { collection, realPath };
+  };
   /*
    * Used for getDocument, get<Collection>Document.
    */
@@ -5185,8 +5239,10 @@ var Resolver = class {
     collectionName,
     relativePath
   }) => {
-    const collection = this.getCollectionWithName(collectionName);
-    const realPath = path3.join(collection.path, relativePath);
+    const { collection, realPath } = this.getValidatedPath(
+      collectionName,
+      relativePath
+    );
     return this.getDocument(realPath, {
       collection,
       checkReferences: true
@@ -5205,6 +5261,7 @@ var Resolver = class {
       relativePath,
       `.gitkeep.${collection.format || "md"}`
     );
+    this.validatePath(realPath, collection);
     const alreadyExists = await this.database.documentExists(realPath);
     if (alreadyExists) {
       throw new Error(`Unable to add folder, ${realPath} already exists`);
@@ -5221,8 +5278,10 @@ var Resolver = class {
     relativePath,
     body
   }) => {
-    const collection = this.getCollectionWithName(collectionName);
-    const realPath = path3.join(collection.path, relativePath);
+    const { collection, realPath } = this.getValidatedPath(
+      collectionName,
+      relativePath
+    );
     const alreadyExists = await this.database.documentExists(realPath);
     if (alreadyExists) {
       throw new Error(`Unable to add document, ${realPath} already exists`);
@@ -5237,15 +5296,20 @@ var Resolver = class {
     newRelativePath,
     newBody
   }) => {
-    const collection = this.getCollectionWithName(collectionName);
-    const realPath = path3.join(collection.path, relativePath);
+    const { collection, realPath } = this.getValidatedPath(
+      collectionName,
+      relativePath
+    );
     const alreadyExists = await this.database.documentExists(realPath);
     if (!alreadyExists) {
       throw new Error(`Unable to update document, ${realPath} does not exist`);
     }
     const doc = await this.getDocument(realPath);
     if (newRelativePath) {
-      const newRealPath = path3.join(collection?.path, newRelativePath);
+      const { realPath: newRealPath } = this.getValidatedPath(
+        collectionName,
+        newRelativePath
+      );
       if (newRealPath === realPath) {
         return doc;
       }
@@ -5308,8 +5372,10 @@ var Resolver = class {
     collectionName,
     relativePath
   }) => {
-    const collection = this.getCollectionWithName(collectionName);
-    const realPath = path3.join(collection.path, relativePath);
+    const { collection, realPath } = this.getValidatedPath(
+      collectionName,
+      relativePath
+    );
     const alreadyExists = await this.database.documentExists(realPath);
     if (!alreadyExists) {
       throw new Error(`Unable to delete document, ${realPath} does not exist`);
@@ -5528,7 +5594,10 @@ var Resolver = class {
             params: yup3.object({ relativePath: yup3.string().required() }).required()
           })
         );
-        const realPath = path3.join(collection.path, args.relativePath);
+        const realPath = this.getValidatedPath(
+          collection.name,
+          args.relativePath
+        ).realPath;
         return this.updateResolveDocument({
           collection,
           realPath,
@@ -5548,7 +5617,10 @@ var Resolver = class {
         });
       }
     } else {
-      const realPath = path3.join(collection.path, args.relativePath);
+      const realPath = this.getValidatedPath(
+        collection.name,
+        args.relativePath
+      ).realPath;
       return this.getDocument(realPath, {
         collection,
         checkReferences: true

package/dist/resolver/index.d.ts CHANGED Viewed

@@ -228,6 +228,25 @@ export declare class Resolver {
      */
     resolveLegacyValues: (oldDoc: any, collection: Collection<true>) => {};
     private getCollectionWithName;
+    /**
+     * validatePath ensures that the provided path remains within the boundaries
+     * of the collection's directory and that the file extension matches the
+     * collection's configured format. This is a critical security check to prevent
+     * path traversal attacks where a user might attempt to read or write files
+     * outside of the intended collection.
+     */
+    private validatePath;
+    /**
+     * Helper method to get collection and construct validated path.
+     * This encapsulates the common pattern of getting a collection, joining paths,
+     * and validating the result, ensuring security checks are always performed.
+     *
+     * @param collectionName - Name of the collection
+     * @param relativePath - Relative path within the collection
+     * @param options - Optional configuration
+     * @returns Object containing the collection and validated real path
+     */
+    private getValidatedPath;
     resolveRetrievedDocument: ({ collectionName, relativePath, }: {
         collectionName: string;
         relativePath: string;

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@tinacms/graphql",
   "type": "module",
-  "version": "2.1.0",
+  "version": "2.1.2",
   "main": "dist/index.js",
   "module": "./dist/index.js",
   "files": [
@@ -37,14 +37,14 @@
     "isomorphic-git": "^1.29.0",
     "js-sha1": "^0.6.0",
     "js-yaml": "^3.14.1",
-    "jsonpath-plus": "10.1.0",
+    "jsonpath-plus": "^10.3.0",
     "many-level": "^2.0.0",
     "micromatch": "4.0.8",
     "normalize-path": "^3.0.0",
     "readable-stream": "^4.7.0",
     "yup": "^1.6.1",
-    "@tinacms/mdx": "2.0.4",
-    "@tinacms/schema-tools": "2.4.0"
+    "@tinacms/schema-tools": "2.6.0",
+    "@tinacms/mdx": "2.0.6"
   },
   "publishConfig": {
     "registry": "https://registry.npmjs.org"
@@ -71,8 +71,8 @@
     "vite": "^4.5.9",
     "vitest": "^0.32.4",
     "zod": "^3.24.2",
-    "@tinacms/schema-tools": "2.4.0",
-    "@tinacms/scripts": "1.4.2"
+    "@tinacms/schema-tools": "2.6.0",
+    "@tinacms/scripts": "1.5.0"
   },
   "scripts": {
     "types": "pnpm tsc",