@tinacms/graphql 2.3.1 → 2.4.1

package/dist/database/bridge/filesystem.d.ts

@@ -4,6 +4,11 @@ import type { Bridge } from './index';
  * The basic example here is for the filesystem, one is needed
  * for GitHub has well.
  *
+ * When `outputPath` differs from `rootPath` (multi-repo: generator +
+ * sibling content repo), paths under `tina/__generated__/` still resolve
+ * against `rootPath` — schema/graphql/lookup artifacts live only in the
+ * generator. Everything else (content files) resolves against `outputPath`.
+ *
  * @security All public methods validate their `filepath` / `pattern`
  * argument via `assertWithinBase` before performing any I/O. If you add a
  * new method that accepts a path, you MUST validate it the same way.
@@ -12,6 +17,8 @@ export declare class FilesystemBridge implements Bridge {
     rootPath: string;
     outputPath: string;
     constructor(rootPath: string, outputPath?: string);
+    private baseFor;
+    private assertGeneratedSubtree;
     glob(pattern: string, extension: string): Promise<string[]>;
     delete(filepath: string): Promise<void>;
     get(filepath: string): Promise<string>;

package/dist/index.js

@@ -3035,7 +3035,7 @@ var validateField = async (field) => {
 var package_default = {
   name: "@tinacms/graphql",
   type: "module",
-  version: "2.3.1",
+  version: "2.4.1",
   main: "dist/index.js",
   module: "./dist/index.js",
   files: [
@@ -4640,17 +4640,18 @@ var resolveMediaCloudToRelative = (value, config = { useRelativeMedia: true }, s
       return value;
     }
     if (hasTinaMediaConfig(schema) === true) {
-      const assetsURL = `https://${config.assetsHost}/${config.clientId}`;
       const cleanMediaRoot = cleanUpSlashes(schema.config.media.tina.mediaRoot);
-      if (typeof value === "string" && value.includes(assetsURL)) {
+      const cloudUrl = cloudUrlPattern(config.clientId);
+      if (typeof value === "string" && cloudUrl.test(value)) {
         return `${cleanMediaRoot}${stripStagingPrefix(
-          value.replace(assetsURL, "")
+          value.replace(cloudUrl, "")
         )}`;
       }
       if (Array.isArray(value)) {
         return value.map((v) => {
           if (!v || typeof v !== "string") return v;
-          const strippedURL = v.replace(assetsURL, "");
+          if (!cloudUrl.test(v)) return v;
+          const strippedURL = v.replace(cloudUrl, "");
           return `${cleanMediaRoot}${stripStagingPrefix(strippedURL)}`;
         });
       }
@@ -4670,13 +4671,17 @@ var resolveMediaRelativeToCloud = (value, config = { useRelativeMedia: true }, s
       const cleanMediaRoot = cleanUpSlashes(schema.config.media.tina.mediaRoot);
       const prefix = stagingPrefix(config);
       if (typeof value === "string") {
+        if (ABSOLUTE_URL.test(value)) return value;
         const strippedValue = value.replace(cleanMediaRoot, "");
+        if (ABSOLUTE_URL.test(strippedValue)) return strippedValue;
         return `https://${config.assetsHost}/${config.clientId}${prefix}${strippedValue}`;
       }
       if (Array.isArray(value)) {
         return value.map((v) => {
           if (!v || typeof v !== "string") return v;
+          if (ABSOLUTE_URL.test(v)) return v;
           const strippedValue = v.replace(cleanMediaRoot, "");
+          if (ABSOLUTE_URL.test(strippedValue)) return strippedValue;
           return `https://${config.assetsHost}/${config.clientId}${prefix}${strippedValue}`;
         });
       }
@@ -4686,12 +4691,15 @@ var resolveMediaRelativeToCloud = (value, config = { useRelativeMedia: true }, s
     return value;
   }
 };
-var stagingPrefix = (config) => config.branch && config.branch !== config.mediaBranch ? `/__staging/${encodeURIComponent(config.branch)}` : "";
-var STAGING_SEGMENT = /^\/__staging\/[^/]+(\/.*)$/;
+var stagingPrefix = (config) => config.branch && config.branch !== config.mediaBranch ? `/__staging/${config.branch}/__file` : "";
+var STAGING_SEGMENT = /^\/__staging\/.+?\/__file(\/.*)$/;
 var stripStagingPrefix = (path9) => {
   const match = path9.match(STAGING_SEGMENT);
   return match ? match[1] : path9;
 };
+var ABSOLUTE_URL = /^[a-z][a-z0-9+.\-]*:|^\/\//i;
+var escapeRegExp = (s) => s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
+var cloudUrlPattern = (clientId) => new RegExp(`^https://[^/]+/${escapeRegExp(clientId)}`);
 var cleanUpSlashes = (path9) => {
   if (path9) {
     return `/${path9.replace(/^\/+|\/+$/gm, "")}`;
@@ -8121,6 +8129,13 @@ function assertWithinBase(filepath, baseDir) {
   }
   return resolved;
 }
+var GENERATED_PATH_PREFIXES = ["tina/__generated__/", ".tina/__generated__/"];
+function isGeneratedPath(filepath) {
+  const normalized = filepath.replace(/\\/g, "/");
+  return GENERATED_PATH_PREFIXES.some(
+    (prefix) => normalized.startsWith(prefix)
+  );
+}
 var FilesystemBridge = class {
   rootPath;
   outputPath;
@@ -8128,6 +8143,30 @@ var FilesystemBridge = class {
     this.rootPath = path7.resolve(rootPath);
     this.outputPath = outputPath ? path7.resolve(outputPath) : this.rootPath;
   }
+  // Picks the base directory for a given path. The `assertWithinBase` check
+  // in delete/get/put still runs against the chosen base, so a path like
+  // `tina/__generated__/../../escape.txt` is still rejected — just rejected
+  // against `rootPath` rather than `outputPath`.
+  baseFor(filepath) {
+    return isGeneratedPath(filepath) ? this.rootPath : this.outputPath;
+  }
+  // Defense-in-depth for generated-path routing: assertWithinBase already
+  // rejects paths that escape rootPath, but a path like
+  // `tina/__generated__/../../.env` would resolve to `<rootPath>/.env` —
+  // technically inside rootPath but outside the generated subtree the
+  // routing is supposed to grant access to. Verify the resolved path stays
+  // inside the matching generated subdirectory.
+  assertGeneratedSubtree(filepath, resolved) {
+    if (!isGeneratedPath(filepath)) return;
+    const normalized = filepath.replace(/\\/g, "/");
+    const subdir = normalized.startsWith(".tina/__generated__/") ? ".tina/__generated__" : "tina/__generated__";
+    const generatedRoot = path7.resolve(path7.join(this.rootPath, subdir));
+    if (resolved !== generatedRoot && !resolved.startsWith(generatedRoot + path7.sep)) {
+      throw new Error(
+        `Path traversal detected: "${filepath}" routed via generated prefix but resolved outside ${generatedRoot}`
+      );
+    }
+  }
   async glob(pattern, extension) {
     const basePath = assertWithinBase(pattern, this.outputPath);
     const items = await fg(
@@ -8143,16 +8182,19 @@ var FilesystemBridge = class {
     );
   }
   async delete(filepath) {
-    const resolved = assertWithinBase(filepath, this.outputPath);
+    const resolved = assertWithinBase(filepath, this.baseFor(filepath));
+    this.assertGeneratedSubtree(filepath, resolved);
     await fs2.remove(resolved);
   }
   async get(filepath) {
-    const resolved = assertWithinBase(filepath, this.outputPath);
+    const resolved = assertWithinBase(filepath, this.baseFor(filepath));
+    this.assertGeneratedSubtree(filepath, resolved);
     return (await fs2.readFile(resolved)).toString();
   }
   async put(filepath, data, basePathOverride) {
-    const basePath = basePathOverride || this.outputPath;
+    const basePath = basePathOverride || this.baseFor(filepath);
     const resolved = assertWithinBase(filepath, basePath);
+    this.assertGeneratedSubtree(filepath, resolved);
     await fs2.outputFile(resolved, data);
   }
 };

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@tinacms/graphql",
   "type": "module",
-  "version": "2.3.1",
+  "version": "2.4.1",
   "main": "dist/index.js",
   "module": "./dist/index.js",
   "files": [