npm - @tinacms/graphql - Versions diffs - 2.2.1 → 2.2.2 - Mend

@tinacms/graphql 2.2.1 → 2.2.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (3) hide show

package/dist/index.js CHANGED Viewed

@@ -3026,7 +3026,7 @@ var validateField = async (field) => {
 var package_default = {
   name: "@tinacms/graphql",
   type: "module",
-  version: "2.2.1",
+  version: "2.2.2",
   main: "dist/index.js",
   module: "./dist/index.js",
   files: [
@@ -4917,7 +4917,7 @@ var updateObjectWithJsonPath = (obj, path9, oldValue, newValue) => {
   }
   return { object: obj, updated };
 };
-var Resolver = class {
+var Resolver = class _Resolver {
   constructor(init) {
     this.init = init;
     this.config = init.config;
@@ -5188,8 +5188,17 @@ var Resolver = class {
    * path traversal attacks where a user might attempt to read or write files
    * outside of the intended collection.
    */
+  static sanitizePath(input) {
+    if (input.includes("\0")) {
+      throw new Error("Invalid path: null bytes are not allowed");
+    }
+    return input.replace(/\\/g, "/");
+  }
   validatePath = (fullPath, collection, relativePath) => {
-    const normalizedPath = path3.normalize(fullPath);
+    if (fullPath.includes("\0")) {
+      throw new Error("Invalid path: null bytes are not allowed");
+    }
+    const normalizedPath = path3.normalize(fullPath.replace(/\\/g, "/"));
     const normalizedCollectionPath = path3.normalize(collection.path);
     const relative = path3.relative(normalizedCollectionPath, normalizedPath);
     if (relative.startsWith("..")) {
@@ -5220,16 +5229,17 @@ var Resolver = class {
    */
   getValidatedPath = (collectionName, relativePath, options) => {
     const collection = this.getCollectionWithName(collectionName);
-    const pathSegments = [collection.path, relativePath];
+    const sanitizedRelativePath = _Resolver.sanitizePath(relativePath);
+    const pathSegments = [collection.path, sanitizedRelativePath];
     if (options?.extraSegments) {
-      pathSegments.push(...options.extraSegments);
+      pathSegments.push(...options.extraSegments.map(_Resolver.sanitizePath));
     }
     const realPath = path3.join(...pathSegments);
     const shouldValidateExtension = options?.validateExtension !== false;
     this.validatePath(
       realPath,
       collection,
-      shouldValidateExtension ? relativePath : void 0
+      shouldValidateExtension ? sanitizedRelativePath : void 0
     );
     return { collection, realPath };
   };
@@ -8021,14 +8031,39 @@ import path7 from "path";
 import fg from "fast-glob";
 import fs2 from "fs-extra";
 import normalize from "normalize-path";
+function resolveRealPath(candidate) {
+  try {
+    return fs2.realpathSync(candidate);
+  } catch {
+    const parent = path7.dirname(candidate);
+    if (parent === candidate) return candidate;
+    return path7.join(resolveRealPath(parent), path7.basename(candidate));
+  }
+}
 function assertWithinBase(filepath, baseDir) {
+  if (filepath.includes("\0")) {
+    throw new Error("Invalid path: null bytes are not allowed");
+  }
+  const sanitized = filepath.replace(/\\/g, "/");
   const resolvedBase = path7.resolve(baseDir);
-  const resolved = path7.resolve(path7.join(baseDir, filepath));
+  const resolved = path7.resolve(path7.join(baseDir, sanitized));
   if (resolved !== resolvedBase && !resolved.startsWith(resolvedBase + path7.sep)) {
     throw new Error(
       `Path traversal detected: "${filepath}" escapes the base directory`
     );
   }
+  try {
+    const realBase = fs2.realpathSync(resolvedBase);
+    const realResolved = resolveRealPath(resolved);
+    if (realResolved !== realBase && !realResolved.startsWith(realBase + path7.sep)) {
+      throw new Error(
+        `Path traversal detected: "${filepath}" escapes the base directory`
+      );
+    }
+  } catch (err) {
+    if (err instanceof Error && err.message.startsWith("Path traversal"))
+      throw err;
+  }
   return resolved;
 }
 var FilesystemBridge = class {
@@ -8090,7 +8125,11 @@ import { GraphQLError as GraphQLError6 } from "graphql";
 import git2 from "isomorphic-git";
 import normalize2 from "normalize-path";
 function assertWithinBase2(filepath, relativePath) {
-  const qualified = relativePath ? `${relativePath}/${filepath}` : filepath;
+  if (filepath.includes("\0")) {
+    throw new Error("Invalid path: null bytes are not allowed");
+  }
+  const sanitized = filepath.replace(/\\/g, "/");
+  const qualified = relativePath ? `${relativePath}/${sanitized}` : sanitized;
   const normalized = path8.normalize(qualified);
   if (normalized.startsWith("..") || normalized.startsWith("/") || path8.isAbsolute(normalized) || relativePath && normalized !== relativePath && !normalized.startsWith(relativePath + "/")) {
     throw new Error(

package/dist/resolver/index.d.ts CHANGED Viewed

@@ -235,6 +235,7 @@ export declare class Resolver {
      * path traversal attacks where a user might attempt to read or write files
      * outside of the intended collection.
      */
+    private static sanitizePath;
     private validatePath;
     /**
      * Helper method to get collection and construct validated path.

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@tinacms/graphql",
   "type": "module",
-  "version": "2.2.1",
+  "version": "2.2.2",
   "main": "dist/index.js",
   "module": "./dist/index.js",
   "files": [