@tinacms/graphql 2.2.1 → 2.2.3

package/dist/index.js

@@ -3026,7 +3026,7 @@ var validateField = async (field) => {
 var package_default = {
   name: "@tinacms/graphql",
   type: "module",
-  version: "2.2.1",
+  version: "2.2.3",
   main: "dist/index.js",
   module: "./dist/index.js",
   files: [
@@ -4917,7 +4917,7 @@ var updateObjectWithJsonPath = (obj, path9, oldValue, newValue) => {
   }
   return { object: obj, updated };
 };
-var Resolver = class {
+var Resolver = class _Resolver {
   constructor(init) {
     this.init = init;
     this.config = init.config;
@@ -5188,8 +5188,17 @@ var Resolver = class {
    * path traversal attacks where a user might attempt to read or write files
    * outside of the intended collection.
    */
+  static sanitizePath(input) {
+    if (input.includes("\0")) {
+      throw new Error("Invalid path: null bytes are not allowed");
+    }
+    return input.replace(/\\/g, "/");
+  }
   validatePath = (fullPath, collection, relativePath) => {
-    const normalizedPath = path3.normalize(fullPath);
+    if (fullPath.includes("\0")) {
+      throw new Error("Invalid path: null bytes are not allowed");
+    }
+    const normalizedPath = path3.normalize(fullPath.replace(/\\/g, "/"));
     const normalizedCollectionPath = path3.normalize(collection.path);
     const relative = path3.relative(normalizedCollectionPath, normalizedPath);
     if (relative.startsWith("..")) {
@@ -5220,16 +5229,17 @@ var Resolver = class {
    */
   getValidatedPath = (collectionName, relativePath, options) => {
     const collection = this.getCollectionWithName(collectionName);
-    const pathSegments = [collection.path, relativePath];
+    const sanitizedRelativePath = _Resolver.sanitizePath(relativePath);
+    const pathSegments = [collection.path, sanitizedRelativePath];
     if (options?.extraSegments) {
-      pathSegments.push(...options.extraSegments);
+      pathSegments.push(...options.extraSegments.map(_Resolver.sanitizePath));
     }
     const realPath = path3.join(...pathSegments);
     const shouldValidateExtension = options?.validateExtension !== false;
     this.validatePath(
       realPath,
       collection,
-      shouldValidateExtension ? relativePath : void 0
+      shouldValidateExtension ? sanitizedRelativePath : void 0
     );
     return { collection, realPath };
   };
@@ -8021,14 +8031,39 @@ import path7 from "path";
 import fg from "fast-glob";
 import fs2 from "fs-extra";
 import normalize from "normalize-path";
+function resolveRealPath(candidate) {
+  try {
+    return fs2.realpathSync(candidate);
+  } catch {
+    const parent = path7.dirname(candidate);
+    if (parent === candidate) return candidate;
+    return path7.join(resolveRealPath(parent), path7.basename(candidate));
+  }
+}
 function assertWithinBase(filepath, baseDir) {
+  if (filepath.includes("\0")) {
+    throw new Error("Invalid path: null bytes are not allowed");
+  }
+  const sanitized = filepath.replace(/\\/g, "/");
   const resolvedBase = path7.resolve(baseDir);
-  const resolved = path7.resolve(path7.join(baseDir, filepath));
+  const resolved = path7.resolve(path7.join(baseDir, sanitized));
   if (resolved !== resolvedBase && !resolved.startsWith(resolvedBase + path7.sep)) {
     throw new Error(
       `Path traversal detected: "${filepath}" escapes the base directory`
     );
   }
+  try {
+    const realBase = fs2.realpathSync(resolvedBase);
+    const realResolved = resolveRealPath(resolved);
+    if (realResolved !== realBase && !realResolved.startsWith(realBase + path7.sep)) {
+      throw new Error(
+        `Path traversal detected: "${filepath}" escapes the base directory`
+      );
+    }
+  } catch (err) {
+    if (err instanceof Error && err.message.startsWith("Path traversal"))
+      throw err;
+  }
   return resolved;
 }
 var FilesystemBridge = class {
@@ -8090,7 +8125,11 @@ import { GraphQLError as GraphQLError6 } from "graphql";
 import git2 from "isomorphic-git";
 import normalize2 from "normalize-path";
 function assertWithinBase2(filepath, relativePath) {
-  const qualified = relativePath ? `${relativePath}/${filepath}` : filepath;
+  if (filepath.includes("\0")) {
+    throw new Error("Invalid path: null bytes are not allowed");
+  }
+  const sanitized = filepath.replace(/\\/g, "/");
+  const qualified = relativePath ? `${relativePath}/${sanitized}` : sanitized;
   const normalized = path8.normalize(qualified);
   if (normalized.startsWith("..") || normalized.startsWith("/") || path8.isAbsolute(normalized) || relativePath && normalized !== relativePath && !normalized.startsWith(relativePath + "/")) {
     throw new Error(

package/dist/resolver/index.d.ts

@@ -235,6 +235,7 @@ export declare class Resolver {
      * path traversal attacks where a user might attempt to read or write files
      * outside of the intended collection.
      */
+    private static sanitizePath;
     private validatePath;
     /**
      * Helper method to get collection and construct validated path.

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@tinacms/graphql",
   "type": "module",
-  "version": "2.2.1",
+  "version": "2.2.3",
   "main": "dist/index.js",
   "module": "./dist/index.js",
   "files": [
@@ -43,8 +43,8 @@
     "normalize-path": "^3.0.0",
     "readable-stream": "^4.7.0",
     "yup": "^1.6.1",
-    "@tinacms/mdx": "2.1.0",
-    "@tinacms/schema-tools": "2.7.0"
+    "@tinacms/mdx": "2.1.1",
+    "@tinacms/schema-tools": "2.7.1"
   },
   "publishConfig": {
     "registry": "https://registry.npmjs.org"
@@ -72,7 +72,7 @@
     "vite": "^4.5.9",
     "vitest": "^0.32.4",
     "zod": "^3.24.2",
-    "@tinacms/schema-tools": "2.7.0",
+    "@tinacms/schema-tools": "2.7.1",
     "@tinacms/scripts": "1.6.0"
   },
   "scripts": {