@tinacms/graphql 2.1.1 → 2.1.3

package/dist/database/bridge/filesystem.d.ts

@@ -3,6 +3,10 @@ import type { Bridge } from './index';
  * This is the bridge from whatever datasource we need for I/O.
  * The basic example here is for the filesystem, one is needed
  * for GitHub has well.
+ *
+ * @security All public methods validate their `filepath` / `pattern`
+ * argument via `assertWithinBase` before performing any I/O. If you add a
+ * new method that accepts a path, you MUST validate it the same way.
  */
 export declare class FilesystemBridge implements Bridge {
     rootPath: string;

package/dist/database/bridge/index.d.ts

@@ -1,8 +1,36 @@
+/**
+ * I/O abstraction layer for reading/writing content files.
+ *
+ * @security **Path traversal (CWE-22):** All `filepath` and `pattern`
+ * parameters may originate from user input (e.g. GraphQL mutations or media
+ * API requests). Implementations MUST validate that resolved paths stay
+ * within their root/output directory before performing any filesystem
+ * operation. See `FilesystemBridge.assertWithinBase` and
+ * `IsomorphicBridge.assertWithinBase` for reference implementations.
+ *
+ * The recommended validation pattern is:
+ * ```ts
+ * const resolved = path.resolve(path.join(baseDir, filepath));
+ * if (!resolved.startsWith(path.resolve(baseDir) + path.sep)) {
+ *   throw new Error('Path traversal detected');
+ * }
+ * ```
+ *
+ * If you are adding a new Bridge implementation, add path traversal
+ * validation to every method that accepts a filepath from the caller.
+ */
 export interface Bridge {
     rootPath: string;
+    /**
+     * @param pattern   - Glob pattern prefix (untrusted — validate before use).
+     * @param extension - File extension to match.
+     */
     glob(pattern: string, extension: string): Promise<string[]>;
+    /** @param filepath - Relative path to delete (untrusted — validate before use). */
     delete(filepath: string): Promise<void>;
+    /** @param filepath - Relative path to read (untrusted — validate before use). */
     get(filepath: string): Promise<string>;
+    /** @param filepath - Relative path to write (untrusted — validate before use). */
     put(filepath: string, data: string): Promise<void>;
     /**
      * Optionally, the bridge can perform

package/dist/database/bridge/isomorphic.d.ts

@@ -18,6 +18,11 @@ export type IsomorphicGitBridgeOptions = {
 };
 /**
  * Bridge backed by isomorphic-git
+ *
+ * @security All public methods (glob, get, put, delete) validate their
+ * `filepath` / `pattern` argument via `assertWithinBase` before performing
+ * any git operations. If you add a new method that accepts a path, you
+ * MUST validate it the same way.
  */
 export declare class IsomorphicBridge implements Bridge {
     rootPath: string;

package/dist/index.js

@@ -45,8 +45,8 @@ var btoa = (string2) => {
 var lastItem = (arr) => {
   return arr[arr.length - 1];
 };
-var get = (obj, path8, defaultValue = void 0) => {
-  const travel = (regexp) => String.prototype.split.call(path8, regexp).filter(Boolean).reduce(
+var get = (obj, path9, defaultValue = void 0) => {
+  const travel = (regexp) => String.prototype.split.call(path9, regexp).filter(Boolean).reduce(
     (res, key) => res !== null && res !== void 0 ? res[key] : res,
     obj
   );
@@ -3026,7 +3026,7 @@ var validateField = async (field) => {
 var package_default = {
   name: "@tinacms/graphql",
   type: "module",
-  version: "2.1.1",
+  version: "2.1.3",
   main: "dist/index.js",
   module: "./dist/index.js",
   files: [
@@ -3662,17 +3662,17 @@ var scanAllContent = async (tinaSchema, bridge, callback) => {
     const documentPaths = await bridge.glob(normalPath, format);
     const matches = tinaSchema.getMatches({ collection });
     const filteredPaths = matches.length > 0 ? micromatch(documentPaths, matches) : documentPaths;
-    filteredPaths.forEach((path8) => {
-      if (filesSeen.has(path8)) {
-        filesSeen.get(path8).push(collection.name);
-        duplicateFiles.add(path8);
+    filteredPaths.forEach((path9) => {
+      if (filesSeen.has(path9)) {
+        filesSeen.get(path9).push(collection.name);
+        duplicateFiles.add(path9);
       } else {
-        filesSeen.set(path8, [collection.name]);
+        filesSeen.set(path9, [collection.name]);
       }
     });
-    duplicateFiles.forEach((path8) => {
+    duplicateFiles.forEach((path9) => {
       warnings.push(
-        `"${path8}" Found in multiple collections: ${filesSeen.get(path8).map((collection2) => `"${collection2}"`).join(
+        `"${path9}" Found in multiple collections: ${filesSeen.get(path9).map((collection2) => `"${collection2}"`).join(
           ", "
         )}. This can cause unexpected behavior. We recommend updating the \`match\` property of those collections so that each file is in only one collection.
 This will be an error in the future. See https://tina.io/docs/errors/file-in-mutpliple-collections/
@@ -4235,9 +4235,9 @@ var makeFilterSuffixes = (filterChain, index) => {
   }
 };
 var FOLDER_ROOT = "~";
-var stripCollectionFromPath = (collectionPath, path8) => {
+var stripCollectionFromPath = (collectionPath, path9) => {
   const collectionPathParts = collectionPath.split("/");
-  const pathParts = path8.split("/");
+  const pathParts = path9.split("/");
   const strippedPathParts = pathParts.slice(collectionPathParts.length);
   return strippedPathParts.join("/");
 };
@@ -4293,13 +4293,13 @@ var makeFolderOpsForCollection = (folderTree, collection, indexDefinitions, opTy
       SUBLEVEL_OPTIONS
     );
     let folderSortingIdx = 0;
-    for (const path8 of Array.from(folder).sort()) {
+    for (const path9 of Array.from(folder).sort()) {
       for (const [sort] of Object.entries(indexDefinitions)) {
         const indexSublevel = folderCollectionSublevel.sublevel(
           sort,
           SUBLEVEL_OPTIONS
         );
-        const subFolderKey = sha.hex(path8);
+        const subFolderKey = sha.hex(path9);
         if (sort === DEFAULT_COLLECTION_SORT_KEY) {
           result.push({
             type: opType,
@@ -4381,8 +4381,8 @@ var makeRefOpsForDocument = (filepath, collection, references, data, opType, lev
         SUBLEVEL_OPTIONS
       );
       const references2 = {};
-      for (const path8 of referencePaths) {
-        const ref = JSONPath({ path: path8, json: data });
+      for (const path9 of referencePaths) {
+        const ref = JSONPath({ path: path9, json: data });
         if (!ref) {
           continue;
         }
@@ -4392,24 +4392,24 @@ var makeRefOpsForDocument = (filepath, collection, references, data, opType, lev
               continue;
             }
             if (references2[r]) {
-              references2[r].push(path8);
+              references2[r].push(path9);
             } else {
-              references2[r] = [path8];
+              references2[r] = [path9];
             }
           }
         } else {
           if (references2[ref]) {
-            references2[ref].push(path8);
+            references2[ref].push(path9);
           } else {
-            references2[ref] = [path8];
+            references2[ref] = [path9];
           }
         }
       }
       for (const ref of Object.keys(references2)) {
-        for (const path8 of references2[ref]) {
+        for (const path9 of references2[ref]) {
           result.push({
             type: opType,
-            key: `${ref}${INDEX_KEY_FIELD_SEPARATOR}${path8}${INDEX_KEY_FIELD_SEPARATOR}${filepath}`,
+            key: `${ref}${INDEX_KEY_FIELD_SEPARATOR}${path9}${INDEX_KEY_FIELD_SEPARATOR}${filepath}`,
             sublevel: refSublevel,
             value: opType === "put" ? {} : void 0
           });
@@ -4676,9 +4676,9 @@ var resolveMediaRelativeToCloud = (value, config = { useRelativeMedia: true }, s
     return value;
   }
 };
-var cleanUpSlashes = (path8) => {
-  if (path8) {
-    return `/${path8.replace(/^\/+|\/+$/gm, "")}`;
+var cleanUpSlashes = (path9) => {
+  if (path9) {
+    return `/${path9.replace(/^\/+|\/+$/gm, "")}`;
   }
   return "";
 };
@@ -4888,17 +4888,17 @@ var transformDocumentIntoPayload = async (fullPath, rawData, tinaSchema, config,
     throw e;
   }
 };
-var updateObjectWithJsonPath = (obj, path8, oldValue, newValue) => {
+var updateObjectWithJsonPath = (obj, path9, oldValue, newValue) => {
   let updated = false;
-  if (!path8.includes(".") && !path8.includes("[")) {
-    if (path8 in obj && obj[path8] === oldValue) {
-      obj[path8] = newValue;
+  if (!path9.includes(".") && !path9.includes("[")) {
+    if (path9 in obj && obj[path9] === oldValue) {
+      obj[path9] = newValue;
       updated = true;
     }
     return { object: obj, updated };
   }
-  const parentPath = path8.replace(/\.[^.\[\]]+$/, "");
-  const keyToUpdate = path8.match(/[^.\[\]]+$/)[0];
+  const parentPath = path9.replace(/\.[^.\[\]]+$/, "");
+  const keyToUpdate = path9.match(/[^.\[\]]+$/)[0];
   const parents = JSONPath2({
     path: parentPath,
     json: obj,
@@ -5100,8 +5100,10 @@ var Resolver = class {
     relativePath,
     templateName
   }) => {
-    const collection = this.getCollectionWithName(collectionName);
-    const realPath = path3.join(collection.path, relativePath);
+    const { collection, realPath } = this.getValidatedPath(
+      collectionName,
+      relativePath
+    );
     const alreadyExists = await this.database.documentExists(realPath);
     if (alreadyExists) {
       throw new Error(`Unable to add document, ${realPath} already exists`);
@@ -5178,6 +5180,58 @@ var Resolver = class {
     }
     return this.tinaSchema.getCollection(collectionName);
   };
+  /**
+   * validatePath ensures that the provided path remains within the boundaries
+   * of the collection's directory and that the file extension matches the
+   * collection's configured format. This is a critical security check to prevent
+   * path traversal attacks where a user might attempt to read or write files
+   * outside of the intended collection.
+   */
+  validatePath = (fullPath, collection, relativePath) => {
+    const normalizedPath = path3.normalize(fullPath);
+    const normalizedCollectionPath = path3.normalize(collection.path);
+    const relative = path3.relative(normalizedCollectionPath, normalizedPath);
+    if (relative.startsWith("..")) {
+      throw new Error(`Invalid path: path escapes the collection directory`);
+    }
+    if (path3.isAbsolute(relative)) {
+      throw new Error(`Invalid path: absolute paths are not allowed`);
+    }
+    if (relativePath) {
+      const collectionFormat = collection.format || "md";
+      const fileExtension = path3.extname(relativePath).toLowerCase().slice(1);
+      if (fileExtension !== collectionFormat) {
+        throw new Error(
+          `Invalid file extension: expected '.${collectionFormat}' but got '.${fileExtension}'`
+        );
+      }
+    }
+  };
+  /**
+   * Helper method to get collection and construct validated path.
+   * This encapsulates the common pattern of getting a collection, joining paths,
+   * and validating the result, ensuring security checks are always performed.
+   *
+   * @param collectionName - Name of the collection
+   * @param relativePath - Relative path within the collection
+   * @param options - Optional configuration
+   * @returns Object containing the collection and validated real path
+   */
+  getValidatedPath = (collectionName, relativePath, options) => {
+    const collection = this.getCollectionWithName(collectionName);
+    const pathSegments = [collection.path, relativePath];
+    if (options?.extraSegments) {
+      pathSegments.push(...options.extraSegments);
+    }
+    const realPath = path3.join(...pathSegments);
+    const shouldValidateExtension = options?.validateExtension !== false;
+    this.validatePath(
+      realPath,
+      collection,
+      shouldValidateExtension ? relativePath : void 0
+    );
+    return { collection, realPath };
+  };
   /*
    * Used for getDocument, get<Collection>Document.
    */
@@ -5185,8 +5239,10 @@ var Resolver = class {
     collectionName,
     relativePath
   }) => {
-    const collection = this.getCollectionWithName(collectionName);
-    const realPath = path3.join(collection.path, relativePath);
+    const { collection, realPath } = this.getValidatedPath(
+      collectionName,
+      relativePath
+    );
     return this.getDocument(realPath, {
       collection,
       checkReferences: true
@@ -5205,6 +5261,7 @@ var Resolver = class {
       relativePath,
       `.gitkeep.${collection.format || "md"}`
     );
+    this.validatePath(realPath, collection);
     const alreadyExists = await this.database.documentExists(realPath);
     if (alreadyExists) {
       throw new Error(`Unable to add folder, ${realPath} already exists`);
@@ -5221,8 +5278,10 @@ var Resolver = class {
     relativePath,
     body
   }) => {
-    const collection = this.getCollectionWithName(collectionName);
-    const realPath = path3.join(collection.path, relativePath);
+    const { collection, realPath } = this.getValidatedPath(
+      collectionName,
+      relativePath
+    );
     const alreadyExists = await this.database.documentExists(realPath);
     if (alreadyExists) {
       throw new Error(`Unable to add document, ${realPath} already exists`);
@@ -5237,15 +5296,20 @@ var Resolver = class {
     newRelativePath,
     newBody
   }) => {
-    const collection = this.getCollectionWithName(collectionName);
-    const realPath = path3.join(collection.path, relativePath);
+    const { collection, realPath } = this.getValidatedPath(
+      collectionName,
+      relativePath
+    );
     const alreadyExists = await this.database.documentExists(realPath);
     if (!alreadyExists) {
       throw new Error(`Unable to update document, ${realPath} does not exist`);
     }
     const doc = await this.getDocument(realPath);
     if (newRelativePath) {
-      const newRealPath = path3.join(collection?.path, newRelativePath);
+      const { realPath: newRealPath } = this.getValidatedPath(
+        collectionName,
+        newRelativePath
+      );
       if (newRealPath === realPath) {
         return doc;
       }
@@ -5258,10 +5322,10 @@ var Resolver = class {
         )) {
           let docWithRef = await this.getRaw(pathToDocWithRef);
           let hasUpdate = false;
-          for (const path8 of referencePaths) {
+          for (const path9 of referencePaths) {
             const { object: object2, updated } = updateObjectWithJsonPath(
               docWithRef,
-              path8,
+              path9,
               realPath,
               newRealPath
             );
@@ -5308,8 +5372,10 @@ var Resolver = class {
     collectionName,
     relativePath
   }) => {
-    const collection = this.getCollectionWithName(collectionName);
-    const realPath = path3.join(collection.path, relativePath);
+    const { collection, realPath } = this.getValidatedPath(
+      collectionName,
+      relativePath
+    );
     const alreadyExists = await this.database.documentExists(realPath);
     if (!alreadyExists) {
       throw new Error(`Unable to delete document, ${realPath} does not exist`);
@@ -5324,10 +5390,10 @@ var Resolver = class {
         )) {
           let refDoc = await this.getRaw(pathToDocWithRef);
           let hasUpdate = false;
-          for (const path8 of referencePaths) {
+          for (const path9 of referencePaths) {
             const { object: object2, updated } = updateObjectWithJsonPath(
               refDoc,
-              path8,
+              path9,
               realPath,
               null
             );
@@ -5528,7 +5594,10 @@ var Resolver = class {
             params: yup3.object({ relativePath: yup3.string().required() }).required()
           })
         );
-        const realPath = path3.join(collection.path, args.relativePath);
+        const realPath = this.getValidatedPath(
+          collection.name,
+          args.relativePath
+        ).realPath;
         return this.updateResolveDocument({
           collection,
           realPath,
@@ -5548,7 +5617,10 @@ var Resolver = class {
         });
       }
     } else {
-      const realPath = path3.join(collection.path, args.relativePath);
+      const realPath = this.getValidatedPath(
+        collection.name,
+        args.relativePath
+      ).realPath;
       return this.getDocument(realPath, {
         collection,
         checkReferences: true
@@ -5588,7 +5660,7 @@ var Resolver = class {
           first: -1
         },
         collection: referencedCollection,
-        hydrator: (path8) => path8
+        hydrator: (path9) => path9
         // just return the path
       }
     );
@@ -6029,8 +6101,8 @@ async function handleUpdatePassword({
 // src/error.ts
 import { GraphQLError as GraphQLError3 } from "graphql";
 var NotFoundError = class extends GraphQLError3 {
-  constructor(message, nodes, source, positions, path8, originalError, extensions) {
-    super(message, nodes, source, positions, path8, originalError, extensions);
+  constructor(message, nodes, source, positions, path9, originalError, extensions) {
+    super(message, nodes, source, positions, path9, originalError, extensions);
     this.name = "NotFoundError";
   }
 };
@@ -7292,21 +7364,21 @@ var Database = class {
         edges,
         async ({
           cursor,
-          path: path8,
+          path: path9,
           value
         }) => {
           try {
-            const node = await hydrator(path8, value);
+            const node = await hydrator(path9, value);
             return {
               node,
               cursor: btoa(cursor)
             };
           } catch (error) {
             console.log(error);
-            if (error instanceof Error && (!path8.includes(".tina/__generated__/_graphql.json") || !path8.includes("tina/__generated__/_graphql.json"))) {
+            if (error instanceof Error && (!path9.includes(".tina/__generated__/_graphql.json") || !path9.includes("tina/__generated__/_graphql.json"))) {
               throw new TinaQueryError({
                 originalError: error,
-                file: path8,
+                file: path9,
                 collection: collection.name
               });
             }
@@ -7594,8 +7666,8 @@ var Database = class {
     return { warnings };
   };
 };
-var hashPasswordVisitor = async (node, path8) => {
-  const passwordValuePath = [...path8, "value"];
+var hashPasswordVisitor = async (node, path9) => {
+  const passwordValuePath = [...path9, "value"];
   const plaintextPassword = get(node, passwordValuePath);
   if (plaintextPassword) {
     set2(
@@ -7605,10 +7677,10 @@ var hashPasswordVisitor = async (node, path8) => {
     );
   }
 };
-var visitNodes = async (node, path8, callback) => {
-  const [currentLevel, ...remainingLevels] = path8;
+var visitNodes = async (node, path9, callback) => {
+  const [currentLevel, ...remainingLevels] = path9;
   if (!remainingLevels?.length) {
-    return callback(node, path8);
+    return callback(node, path9);
   }
   if (Array.isArray(node[currentLevel])) {
     for (const item of node[currentLevel]) {
@@ -7937,10 +8009,20 @@ var shaExists = async ({
 }) => git.readCommit({ fs: fs4, dir, oid: sha3 }).then(() => true).catch(() => false);
 
 // src/database/bridge/filesystem.ts
-import fs2 from "fs-extra";
-import fg from "fast-glob";
 import path7 from "path";
+import fg from "fast-glob";
+import fs2 from "fs-extra";
 import normalize from "normalize-path";
+function assertWithinBase(filepath, baseDir) {
+  const resolvedBase = path7.resolve(baseDir);
+  const resolved = path7.resolve(path7.join(baseDir, filepath));
+  if (resolved !== resolvedBase && !resolved.startsWith(resolvedBase + path7.sep)) {
+    throw new Error(
+      `Path traversal detected: "${filepath}" escapes the base directory`
+    );
+  }
+  return resolved;
+}
 var FilesystemBridge = class {
   rootPath;
   outputPath;
@@ -7949,7 +8031,7 @@ var FilesystemBridge = class {
     this.outputPath = outputPath ? path7.resolve(outputPath) : this.rootPath;
   }
   async glob(pattern, extension) {
-    const basePath = path7.join(this.outputPath, ...pattern.split("/"));
+    const basePath = assertWithinBase(pattern, this.outputPath);
     const items = await fg(
       path7.join(basePath, "**", `/*.${extension}`).replace(/\\/g, "/"),
       {
@@ -7963,14 +8045,17 @@ var FilesystemBridge = class {
     );
   }
   async delete(filepath) {
-    await fs2.remove(path7.join(this.outputPath, filepath));
+    const resolved = assertWithinBase(filepath, this.outputPath);
+    await fs2.remove(resolved);
   }
   async get(filepath) {
-    return (await fs2.readFile(path7.join(this.outputPath, filepath))).toString();
+    const resolved = assertWithinBase(filepath, this.outputPath);
+    return (await fs2.readFile(resolved)).toString();
   }
   async put(filepath, data, basePathOverride) {
     const basePath = basePathOverride || this.outputPath;
-    await fs2.outputFile(path7.join(basePath, filepath), data);
+    const resolved = assertWithinBase(filepath, basePath);
+    await fs2.outputFile(resolved, data);
   }
 };
 var AuditFileSystemBridge = class extends FilesystemBridge {
@@ -7990,12 +8075,21 @@ var AuditFileSystemBridge = class extends FilesystemBridge {
 };
 
 // src/database/bridge/isomorphic.ts
-import git2 from "isomorphic-git";
+import path8, { dirname } from "path";
 import fs3 from "fs-extra";
 import globParent from "glob-parent";
-import normalize2 from "normalize-path";
 import { GraphQLError as GraphQLError6 } from "graphql";
-import { dirname } from "path";
+import git2 from "isomorphic-git";
+import normalize2 from "normalize-path";
+function assertWithinBase2(filepath, relativePath) {
+  const qualified = relativePath ? `${relativePath}/${filepath}` : filepath;
+  const normalized = path8.normalize(qualified);
+  if (normalized.startsWith("..") || normalized.startsWith("/") || path8.isAbsolute(normalized) || relativePath && normalized !== relativePath && !normalized.startsWith(relativePath + "/")) {
+    throw new Error(
+      `Path traversal detected: "${filepath}" escapes the content root`
+    );
+  }
+}
 var flat = typeof Array.prototype.flat === "undefined" ? (entries) => entries.reduce((acc, x) => acc.concat(x), []) : (entries) => entries.flat();
 var toUint8Array = (buf) => {
   const ab = new ArrayBuffer(buf.length);
@@ -8074,7 +8168,7 @@ var IsomorphicBridge = class {
   async listEntries({
     pattern,
     entry,
-    path: path8,
+    path: path9,
     results
   }) {
     const treeResult = await git2.readTree({
@@ -8084,7 +8178,7 @@ var IsomorphicBridge = class {
     });
     const children = [];
     for (const childEntry of treeResult.tree) {
-      const childPath = path8 ? `${path8}/${childEntry.path}` : childEntry.path;
+      const childPath = path9 ? `${path9}/${childEntry.path}` : childEntry.path;
       if (childEntry.type === "tree") {
         children.push(childEntry);
       } else {
@@ -8094,7 +8188,7 @@ var IsomorphicBridge = class {
       }
     }
     for (const childEntry of children) {
-      const childPath = path8 ? `${path8}/${childEntry.path}` : childEntry.path;
+      const childPath = path9 ? `${path9}/${childEntry.path}` : childEntry.path;
       await this.listEntries({
         pattern,
         entry: childEntry,
@@ -8112,17 +8206,17 @@ var IsomorphicBridge = class {
    * @param ref - ref to resolve path entries for
    * @private
    */
-  async resolvePathEntries(path8, ref) {
-    let pathParts = path8.split("/");
+  async resolvePathEntries(path9, ref) {
+    let pathParts = path9.split("/");
     const result = await git2.walk({
       ...this.isomorphicConfig,
       map: async (filepath, [head]) => {
         if (head._fullpath === ".") {
           return head;
         }
-        if (path8.startsWith(filepath)) {
-          if (dirname(path8) === dirname(filepath)) {
-            if (path8 === filepath) {
+        if (path9.startsWith(filepath)) {
+          if (dirname(path9) === dirname(filepath)) {
+            if (path9 === filepath) {
               return head;
             }
           } else {
@@ -8153,7 +8247,7 @@ var IsomorphicBridge = class {
    * @param pathParts - parent path parts
    * @private
    */
-  async updateTreeHierarchy(existingOid, updatedOid, path8, type, pathEntries, pathParts) {
+  async updateTreeHierarchy(existingOid, updatedOid, path9, type, pathEntries, pathParts) {
     const lastIdx = pathEntries.length - 1;
     const parentEntry = pathEntries[lastIdx];
     const parentPath = pathParts[lastIdx];
@@ -8168,7 +8262,7 @@ var IsomorphicBridge = class {
         cache: this.cache
       });
       tree = existingOid ? treeResult.tree.map((entry) => {
-        if (entry.path === path8) {
+        if (entry.path === path9) {
           entry.oid = updatedOid;
         }
         return entry;
@@ -8177,7 +8271,7 @@ var IsomorphicBridge = class {
         {
           oid: updatedOid,
           type,
-          path: path8,
+          path: path9,
           mode
         }
       ];
@@ -8186,7 +8280,7 @@ var IsomorphicBridge = class {
         {
           oid: updatedOid,
           type,
-          path: path8,
+          path: path9,
           mode
         }
       ];
@@ -8262,6 +8356,7 @@ var IsomorphicBridge = class {
     return ref;
   }
   async glob(pattern, extension) {
+    assertWithinBase2(pattern, this.relativePath);
     const ref = await this.getRef();
     const parent = globParent(this.qualifyPath(pattern));
     const { pathParts, pathEntries } = await this.resolvePathEntries(
@@ -8295,9 +8390,10 @@ var IsomorphicBridge = class {
       path: parentPath,
       results
     });
-    return results.map((path8) => this.unqualifyPath(path8)).filter((path8) => path8.endsWith(extension));
+    return results.map((path9) => this.unqualifyPath(path9)).filter((path9) => path9.endsWith(extension));
   }
   async delete(filepath) {
+    assertWithinBase2(filepath, this.relativePath);
     const ref = await this.getRef();
     const { pathParts, pathEntries } = await this.resolvePathEntries(
       this.qualifyPath(filepath),
@@ -8369,6 +8465,7 @@ var IsomorphicBridge = class {
     return this.relativePath ? filepath.slice(this.relativePath.length + 1) : filepath;
   }
   async get(filepath) {
+    assertWithinBase2(filepath, this.relativePath);
     const ref = await this.getRef();
     const oid = await git2.resolveRef({
       ...this.isomorphicConfig,
@@ -8383,6 +8480,7 @@ var IsomorphicBridge = class {
     return Buffer.from(blob).toString("utf8");
   }
   async put(filepath, data) {
+    assertWithinBase2(filepath, this.relativePath);
     const ref = await this.getRef();
     const { pathParts, pathEntries } = await this.resolvePathEntries(
       this.qualifyPath(filepath),

package/dist/resolver/index.d.ts

@@ -228,6 +228,25 @@ export declare class Resolver {
      */
     resolveLegacyValues: (oldDoc: any, collection: Collection<true>) => {};
     private getCollectionWithName;
+    /**
+     * validatePath ensures that the provided path remains within the boundaries
+     * of the collection's directory and that the file extension matches the
+     * collection's configured format. This is a critical security check to prevent
+     * path traversal attacks where a user might attempt to read or write files
+     * outside of the intended collection.
+     */
+    private validatePath;
+    /**
+     * Helper method to get collection and construct validated path.
+     * This encapsulates the common pattern of getting a collection, joining paths,
+     * and validating the result, ensuring security checks are always performed.
+     *
+     * @param collectionName - Name of the collection
+     * @param relativePath - Relative path within the collection
+     * @param options - Optional configuration
+     * @returns Object containing the collection and validated real path
+     */
+    private getValidatedPath;
     resolveRetrievedDocument: ({ collectionName, relativePath, }: {
         collectionName: string;
         relativePath: string;

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@tinacms/graphql",
   "type": "module",
-  "version": "2.1.1",
+  "version": "2.1.3",
   "main": "dist/index.js",
   "module": "./dist/index.js",
   "files": [
@@ -37,14 +37,14 @@
     "isomorphic-git": "^1.29.0",
     "js-sha1": "^0.6.0",
     "js-yaml": "^3.14.1",
-    "jsonpath-plus": "10.1.0",
+    "jsonpath-plus": "^10.3.0",
     "many-level": "^2.0.0",
     "micromatch": "4.0.8",
     "normalize-path": "^3.0.0",
     "readable-stream": "^4.7.0",
     "yup": "^1.6.1",
-    "@tinacms/mdx": "2.0.5",
-    "@tinacms/schema-tools": "2.5.0"
+    "@tinacms/mdx": "2.0.6",
+    "@tinacms/schema-tools": "2.6.0"
   },
   "publishConfig": {
     "registry": "https://registry.npmjs.org"
@@ -71,8 +71,8 @@
     "vite": "^4.5.9",
     "vitest": "^0.32.4",
     "zod": "^3.24.2",
-    "@tinacms/scripts": "1.4.2",
-    "@tinacms/schema-tools": "2.5.0"
+    "@tinacms/scripts": "1.5.0",
+    "@tinacms/schema-tools": "2.6.0"
   },
   "scripts": {
     "types": "pnpm tsc",