npm - @tinacms/graphql - Versions diffs - 2.3.0 → 2.4.0 - Mend

@tinacms/graphql 2.3.0 → 2.4.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/database/bridge/filesystem.d.ts +7 -0
package/dist/index.js +76 -23
package/dist/resolver/index.d.ts +5 -0
package/package.json +5 -5

package/dist/database/bridge/filesystem.d.ts CHANGED Viewed

@@ -4,6 +4,11 @@ import type { Bridge } from './index';
  * The basic example here is for the filesystem, one is needed
  * for GitHub has well.
  *
+ * When `outputPath` differs from `rootPath` (multi-repo: generator +
+ * sibling content repo), paths under `tina/__generated__/` still resolve
+ * against `rootPath` — schema/graphql/lookup artifacts live only in the
+ * generator. Everything else (content files) resolves against `outputPath`.
+ *
  * @security All public methods validate their `filepath` / `pattern`
  * argument via `assertWithinBase` before performing any I/O. If you add a
  * new method that accepts a path, you MUST validate it the same way.
@@ -12,6 +17,8 @@ export declare class FilesystemBridge implements Bridge {
     rootPath: string;
     outputPath: string;
     constructor(rootPath: string, outputPath?: string);
+    private baseFor;
+    private assertGeneratedSubtree;
     glob(pattern: string, extension: string): Promise<string[]>;
     delete(filepath: string): Promise<void>;
     get(filepath: string): Promise<string>;

package/dist/index.js CHANGED Viewed

@@ -3035,7 +3035,7 @@ var validateField = async (field) => {
 var package_default = {
   name: "@tinacms/graphql",
   type: "module",
-  version: "2.3.0",
+  version: "2.4.0",
   main: "dist/index.js",
   module: "./dist/index.js",
   files: [
@@ -3779,6 +3779,9 @@ var getTemplateForFile = (templateInfo, data) => {
   throw new Error(`Unable to determine template`);
 };
 var loadAndParseWithAliases = async (bridge, filepath, collection, templateInfo) => {
+  if (filepath.endsWith(".gitkeep")) {
+    return { _is_tina_folder_placeholder: true };
+  }
   const dataString = await bridge.get(normalizePath(filepath));
   const data = parseFile(
     dataString,
@@ -4637,17 +4640,18 @@ var resolveMediaCloudToRelative = (value, config = { useRelativeMedia: true }, s
       return value;
     }
     if (hasTinaMediaConfig(schema) === true) {
-      const assetsURL = `https://${config.assetsHost}/${config.clientId}`;
       const cleanMediaRoot = cleanUpSlashes(schema.config.media.tina.mediaRoot);
-      if (typeof value === "string" && value.includes(assetsURL)) {
+      const cloudUrl = cloudUrlPattern(config.clientId);
+      if (typeof value === "string" && cloudUrl.test(value)) {
         return `${cleanMediaRoot}${stripStagingPrefix(
-          value.replace(assetsURL, "")
+          value.replace(cloudUrl, "")
         )}`;
       }
       if (Array.isArray(value)) {
         return value.map((v) => {
           if (!v || typeof v !== "string") return v;
-          const strippedURL = v.replace(assetsURL, "");
+          if (!cloudUrl.test(v)) return v;
+          const strippedURL = v.replace(cloudUrl, "");
           return `${cleanMediaRoot}${stripStagingPrefix(strippedURL)}`;
         });
       }
@@ -4683,12 +4687,14 @@ var resolveMediaRelativeToCloud = (value, config = { useRelativeMedia: true }, s
     return value;
   }
 };
-var stagingPrefix = (config) => config.branch && config.branch !== config.mediaBranch ? `/__staging/${encodeURIComponent(config.branch)}` : "";
-var STAGING_SEGMENT = /^\/__staging\/[^/]+(\/.*)$/;
+var stagingPrefix = (config) => config.branch && config.branch !== config.mediaBranch ? `/__staging/${config.branch}/__file` : "";
+var STAGING_SEGMENT = /^\/__staging\/.+?\/__file(\/.*)$/;
 var stripStagingPrefix = (path9) => {
   const match = path9.match(STAGING_SEGMENT);
   return match ? match[1] : path9;
 };
+var escapeRegExp = (s) => s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+var cloudUrlPattern = (clientId) => new RegExp(`^https://[^/]+/${escapeRegExp(clientId)}`);
 var cleanUpSlashes = (path9) => {
   if (path9) {
     return `/${path9.replace(/^\/+|\/+$/gm, "")}`;
@@ -5361,6 +5367,12 @@ var Resolver = class _Resolver {
       if (newRealPath === realPath) {
         return doc;
       }
+      const newPathAlreadyExists = await this.database.documentExists(newRealPath);
+      if (newPathAlreadyExists) {
+        throw new Error(
+          `Unable to rename document, ${newRealPath} already exists`
+        );
+      }
       await this.database.put(newRealPath, doc._rawData, collection.name);
       await this.deleteDocument(realPath);
       const collRefs = await this.findReferences(realPath, collection);
@@ -6915,7 +6927,10 @@ var Database = class {
         if (!collection) {
           throw new GraphQLError5(`Unable to find collection for ${filepath}.`);
         }
-        if (collection.match?.exclude || collection.match?.include) {
+        const isFolderPlaceholder = filepath.endsWith(
+          `.gitkeep.${collection.format || "md"}`
+        );
+        if (!isFolderPlaceholder && (collection.match?.exclude || collection.match?.include)) {
           const matches = this.tinaSchema.getMatches({ collection });
           const match = micromatch2.isMatch(filepath, matches);
           if (!match) {
@@ -7839,8 +7854,9 @@ var _indexContent = async ({
           ]);
         }
       }
+      let putOps = [];
       if (!isGitKeep(filepath, collection)) {
-        await enqueueOps([
+        putOps = [
           ...makeRefOpsForDocument(
             normalizedPath,
             collection?.name,
@@ -7865,18 +7881,21 @@ var _indexContent = async ({
             aliasedData,
             "put",
             level
-          ),
-          {
-            type: "put",
-            key: normalizedPath,
-            value: aliasedData,
-            sublevel: level.sublevel(
-              CONTENT_ROOT_PREFIX,
-              SUBLEVEL_OPTIONS
-            )
-          }
-        ]);
+          )
+        ];
       }
+      await enqueueOps([
+        ...putOps,
+        {
+          type: "put",
+          key: normalizedPath,
+          value: aliasedData,
+          sublevel: level.sublevel(
+            CONTENT_ROOT_PREFIX,
+            SUBLEVEL_OPTIONS
+          )
+        }
+      ]);
     } catch (error) {
       throw new TinaFetchError(`Unable to seed ${filepath}`, {
         originalError: error,
@@ -8105,6 +8124,13 @@ function assertWithinBase(filepath, baseDir) {
   }
   return resolved;
 }
+var GENERATED_PATH_PREFIXES = ["tina/__generated__/", ".tina/__generated__/"];
+function isGeneratedPath(filepath) {
+  const normalized = filepath.replace(/\\/g, "/");
+  return GENERATED_PATH_PREFIXES.some(
+    (prefix) => normalized.startsWith(prefix)
+  );
+}
 var FilesystemBridge = class {
   rootPath;
   outputPath;
@@ -8112,6 +8138,30 @@ var FilesystemBridge = class {
     this.rootPath = path7.resolve(rootPath);
     this.outputPath = outputPath ? path7.resolve(outputPath) : this.rootPath;
   }
+  // Picks the base directory for a given path. The `assertWithinBase` check
+  // in delete/get/put still runs against the chosen base, so a path like
+  // `tina/__generated__/../../escape.txt` is still rejected — just rejected
+  // against `rootPath` rather than `outputPath`.
+  baseFor(filepath) {
+    return isGeneratedPath(filepath) ? this.rootPath : this.outputPath;
+  }
+  // Defense-in-depth for generated-path routing: assertWithinBase already
+  // rejects paths that escape rootPath, but a path like
+  // `tina/__generated__/../../.env` would resolve to `<rootPath>/.env` —
+  // technically inside rootPath but outside the generated subtree the
+  // routing is supposed to grant access to. Verify the resolved path stays
+  // inside the matching generated subdirectory.
+  assertGeneratedSubtree(filepath, resolved) {
+    if (!isGeneratedPath(filepath)) return;
+    const normalized = filepath.replace(/\\/g, "/");
+    const subdir = normalized.startsWith(".tina/__generated__/") ? ".tina/__generated__" : "tina/__generated__";
+    const generatedRoot = path7.resolve(path7.join(this.rootPath, subdir));
+    if (resolved !== generatedRoot && !resolved.startsWith(generatedRoot + path7.sep)) {
+      throw new Error(
+        `Path traversal detected: "${filepath}" routed via generated prefix but resolved outside ${generatedRoot}`
+      );
+    }
+  }
   async glob(pattern, extension) {
     const basePath = assertWithinBase(pattern, this.outputPath);
     const items = await fg(
@@ -8127,16 +8177,19 @@ var FilesystemBridge = class {
     );
   }
   async delete(filepath) {
-    const resolved = assertWithinBase(filepath, this.outputPath);
+    const resolved = assertWithinBase(filepath, this.baseFor(filepath));
+    this.assertGeneratedSubtree(filepath, resolved);
     await fs2.remove(resolved);
   }
   async get(filepath) {
-    const resolved = assertWithinBase(filepath, this.outputPath);
+    const resolved = assertWithinBase(filepath, this.baseFor(filepath));
+    this.assertGeneratedSubtree(filepath, resolved);
     return (await fs2.readFile(resolved)).toString();
   }
   async put(filepath, data, basePathOverride) {
-    const basePath = basePathOverride || this.outputPath;
+    const basePath = basePathOverride || this.baseFor(filepath);
     const resolved = assertWithinBase(filepath, basePath);
+    this.assertGeneratedSubtree(filepath, resolved);
     await fs2.outputFile(resolved, data);
   }
 };

package/dist/resolver/index.d.ts CHANGED Viewed

@@ -11,6 +11,11 @@ interface ResolverConfig {
     isAudit: boolean;
 }
 export declare const createResolver: (args: ResolverConfig) => Resolver;
+export declare const resolveFieldData: ({ namespace, ...field }: TinaField<true>, rawData: unknown, accumulator: {
+    [key: string]: unknown;
+}, tinaSchema: TinaSchema, config?: GraphQLConfig, isAudit?: boolean) => Promise<{
+    [key: string]: unknown;
+}>;
 export declare const transformDocumentIntoPayload: (fullPath: string, rawData: {
     _collection: any;
     _template: any;

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "@tinacms/graphql",
   "type": "module",
-  "version": "2.3.0",
+  "version": "2.4.0",
   "main": "dist/index.js",
   "module": "./dist/index.js",
   "files": [
@@ -43,8 +43,8 @@
     "normalize-path": "^3.0.0",
     "readable-stream": "^4.7.0",
     "yup": "^1.6.1",
-    "@tinacms/schema-tools": "2.7.3",
-    "@tinacms/mdx": "2.1.3"
+    "@tinacms/mdx": "2.1.4",
+    "@tinacms/schema-tools": "2.7.4"
   },
   "publishConfig": {
     "registry": "https://registry.npmjs.org"
@@ -72,8 +72,8 @@
     "vite": "^4.5.9",
     "vitest": "^0.32.4",
     "zod": "^3.24.2",
-    "@tinacms/schema-tools": "2.7.3",
-    "@tinacms/scripts": "1.6.0"
+    "@tinacms/scripts": "1.6.1",
+    "@tinacms/schema-tools": "2.7.4"
   },
   "scripts": {
     "types": "pnpm tsc",