apostrophe 2.220.9 → 2.222.0

package/CHANGELOG.md

@@ -1,5 +1,39 @@
 # Changelog
 
+## 2.222.0 (2022-07-20)
+
+## Adds
+
+* `testModule: true` is now compatible with `mocha` 10.x as well as previously supported versions of `mocha`. Thanks to [Amin Shazrin](https://github.com/ammein) for this contribution.
+
+## Fixes
+
+* `sanitize-html` dependency bumped to ensure a potential denial-of-service vector is closed.
+
+## 2.221.2 (2022-07-06)
+
+## Fixes
+
+* Previously, cache objects returned by `apos.caches.get` shared an incorrectly configured unique key index that prevented the same key from existing in two caches. This did not lead to any data integrity problems, because it was too strict rather than not strict enough. In this release the offending index is replaced with a correct one, which must be unique only on a combination of `name` (the cache name) and `key`, and unit test coverage is added to prevent a recurrence.
+
+## 2.221.1 (2022-06-22)
+
+## Fixes
+
+* Take into account query string in redirections.
+
+## 2.221.0 (2022-06-07)
+
+## Adds
+
+Passing the new `fastMinify: true` option to the `apostrophe-assets` module yields an `apostrophe:generation` speedup of 50% or more, depending on the amount of project-level code, in exchange for a 2% increase in the JavaScript bundle size that reaches the browser.
+
+## 2.220.10 (2022-03-18)
+
+## Fixes
+
+* When moving a page, makes it trashed if its parent is trashed too.
+
 ## 2.220.9 (2022-02-04)
 
 ## Fixes

package/index.js

@@ -256,7 +256,7 @@ module.exports = function(options) {
     while (m.parent) {
       // The test file is the root as far as we are concerned,
       // not mocha itself
-      if (m.parent.filename.match(/\/node_modules\/mocha\//)) {
+      if (m.parent.filename.match(new RegExp(`${path.sep}node_modules${path.sep}mocha${path.sep}`))) {
         return m;
       }
       m = m.parent;
@@ -415,20 +415,18 @@ module.exports = function(options) {
     // and throws an exception if we don't
     function findTestModule() {
       var m = module;
-      var nodeModuleRegex;
-      if (process.platform === "win32") {
-        nodeModuleRegex = /node_modules\\mocha/;
-      } else {
-        nodeModuleRegex = /node_modules\/mocha/;
+      var nodeModuleRegex = new RegExp("node_modules" + path.sep + "mocha");
+      if (!require.main.filename.match(nodeModuleRegex)) {
+        throw new Error('mocha does not seem to be running, is this really a test?');
       }
       while (m) {
         if (m.parent && m.parent.filename.match(nodeModuleRegex)) {
           return m;
+        } else if (!m.parent) {
+          // Mocha v10 doesn't inject mocha paths inside `module`, therefore, we only detect the parent until the last parent. But we can get Mocha running using `require.main` - Amin
+          return m;
         }
         m = m.parent;
-        if (!m) {
-          throw new Error('mocha does not seem to be running, is this really a test?');
-        }
       }
     }
   }

package/lib/modules/apostrophe-assets/index.js

@@ -1318,7 +1318,9 @@ module.exports = {
         return callback(null, fs.readFileSync(script.file, 'utf8'));
       }
       try {
-        var code = uglifyJs.minify(script.file).code;
+        var code = uglifyJs.minify(script.file, {
+          compress: !self.options.fastMinify
+        }).code;
       } catch (e) {
         var message =
           'uglify threw an exception while compiling:\n\n' + script.file + '\n\n' +

package/lib/modules/apostrophe-caches/index.js

@@ -16,6 +16,7 @@ module.exports = {
 
   afterConstruct: function(self, callback) {
     self.addClearCacheTask();
+    self.removeBadIndexMigration();
     return self.getCollection(function(err) {
       if (err) {
         return callback(err);
@@ -213,7 +214,7 @@ module.exports = {
     self.ensureIndexes = function(callback) {
       return async.series({
         keyIndex: function(callback) {
-          return self.cacheCollection.ensureIndex({ key: 1, cache: 1 }, { unique: true }, callback);
+          return self.cacheCollection.ensureIndex({ key: 1, name: 1 }, { unique: true }, callback);
         },
         expireIndex: function(callback) {
           return self.cacheCollection.ensureIndex({ expires: 1 }, { expireAfterSeconds: 0 }, callback);
@@ -242,5 +243,26 @@ module.exports = {
         }
       );
     };
+
+    self.removeBadIndexMigration = function() {
+      // Cache module wakes before migrations module so we have to wait
+      // for apostrophe:modulesReady before registering the migration. Most modules
+      // can register one directly from afterConstruct
+      self.on('apostrophe:modulesReady', 'addRemoveBadIndexMigration', function() {
+        self.apos.migrations.add(self.__meta.name + '.removeBadIndex', async function() {
+          const indexes = await self.cacheCollection.indexes();
+          const culprit = indexes.find(index => index.key &&
+            (Object.keys(index.key).length === 2) &&
+            index.key.key &&
+            index.key.cache &&
+            index.unique
+          );
+          if (culprit) {
+            self.apos.utils.log('Removing incorrect cache index');
+            return self.cacheCollection.dropIndex(culprit.name);
+          }
+        });
+      });
+    };
   }
 };

package/lib/modules/apostrophe-pages/lib/api.js

@@ -554,13 +554,15 @@ module.exports = function(self, options) {
         // Are we in the trashcan? Our new parent reveals that,
         // but only if trash is a place in the tree rather than a
         // simple schema field
-        if (!self.apos.docs.trashInSchema) {
-          if (parent.trash) {
-            moved.trash = true;
-          } else {
-            delete moved.trash;
-          }
+
+        if (parent.trash) {
+          moved.trash = true;
         }
+
+        if (!self.apos.docs.trashInSchema && !parent.trash) {
+          delete moved.trash;
+        }
+
         return self.update(req, moved, callback);
       }
       function updateDescendants(callback) {

package/lib/modules/apostrophe-soft-redirects/index.js

@@ -1,5 +1,6 @@
 var _ = require('@sailshq/lodash');
 var async = require('async');
+var qs = require('qs');
 
 // Implements "soft redirects." When a 404 is about to occur, Apostrophe will look
 // for a page or piece that has been associated with that URL in the past, and
@@ -48,21 +49,27 @@ module.exports = {
     };
 
     self.pageNotFound = function(req, callback) {
-      return self.apos.docs.find(req, { historicUrls: { $in: [ req.url ] } }).sort({ updatedAt: -1 }).toObject(function(err, doc) {
-        if (err) {
-          return callback(err);
-        }
-        if (!doc) {
-          return callback(null);
-        }
-        if (!doc._url) {
+      return self.apos.docs
+        .find(req, { historicUrls: req.path })
+        .sort({ updatedAt: -1 })
+        .toObject(function(err, doc) {
+          if (err) {
+            return callback(err);
+          }
+          if (!doc) {
+            return callback(null);
+          }
+          if (!doc._url) {
+            return callback(null);
+          }
+          if (self.local(doc._url) !== req.path) {
+            return req.res.redirect(
+              statusCode,
+              `${self.local(doc._url)}${qs.stringify(req.query, { addQueryPrefix: true })}`
+            );
+          }
           return callback(null);
-        }
-        if (self.local(doc._url) !== req.url) {
-          return req.res.redirect(statusCode, self.local(doc._url));
-        }
-        return callback(null);
-      });
+        });
     };
 
     self.pageBeforeSend = function(req, callback) {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "apostrophe",
-  "version": "2.220.9",
+  "version": "2.222.0",
   "description": "The Apostrophe Content Management System.",
   "main": "index.js",
   "scripts": {
@@ -72,7 +72,7 @@
     "request-promise": "^4.2.4",
     "resolve": "^1.20.0",
     "rimraf": "^2.7.1",
-    "sanitize-html": "^2.4.0",
+    "sanitize-html": "^2.7.1",
     "server-destroy": "^1.0.1",
     "sluggo": "^0.2.0",
     "syntax-error": "^1.3.0",

package/test/caches.js

@@ -11,6 +11,8 @@ describe('Caches', function() {
 
   var apos;
   var cache;
+  let cache2;
+
   it('should exist on the apos object', function(done) {
     apos = require('../index.js')({
       root: module,
@@ -117,4 +119,31 @@ describe('Caches', function() {
         return true;
       });
   });
+  it('should give us a second, independent cache object', function() {
+    cache2 = apos.caches.get('testMonkeys2');
+  });
+  it('cache 1 should allow us to store capuchin', function() {
+    return cache.set('capuchin', { message: 'eek eek' });
+  });
+  it('cache 2 should allow us to store capuchin with another message', function() {
+    return cache2.set('capuchin', { message: 'ook ook' });
+  });
+  it('cache 1 should contain its unique message', async function() {
+    assert.strictEqual((await cache.get('capuchin')).message, 'eek eek');
+  });
+  it('cache 2 should contain its unique message', async function() {
+    assert.strictEqual((await cache2.get('capuchin')).message, 'ook ook');
+  });
+  it('unique index still prevents double insert of key within a namespace', async function() {
+    try {
+      await apos.caches.cacheCollection.insert({
+        key: 'capuchin',
+        name: 'testMonkeys'
+      });
+      // That's bad, unique index should have stopped us
+      assert(false);
+    } catch (e) {
+      // This is what we wanted to happen
+    }
+  });
 });

package/test/soft-redirects.js

@@ -81,7 +81,21 @@ describe('Soft Redirects', function() {
       // Is our status code good?
       assert.equal(response.statusCode, 302);
       // Are we going to be redirected to our page?
-      assert.equal(response.headers['location'], '/child-moved');
+      assert.equal(response.headers.location, '/child-moved');
+      return done();
+    });
+  });
+
+  it('should be able to serve the page at its old URL too, via redirect, with query params', function(done) {
+    return request({
+      url: 'http://localhost:7900/child?a-query-param=foo&bar[]=a&bar[]=b&another',
+      followRedirect: false
+    }, function(err, response, body) {
+      assert(!err);
+      // Is our status code good?
+      assert.equal(response.statusCode, 302);
+      // Are we going to be redirected to our page?
+      assert.equal(response.headers.location, '/child-moved?a-query-param=foo&bar%5B0%5D=a&bar%5B1%5D=b&another=');
       return done();
     });
   });
@@ -158,9 +172,8 @@ describe('Soft Redirects - with `statusCode` option', function() {
       // Is our status code good?
       assert.equal(response.statusCode, 301);
       // Are we going to be redirected to our page?
-      assert.equal(response.headers['location'], '/child-moved');
+      assert.equal(response.headers.location, '/child-moved');
       return done();
     });
   });
-
 });

package/test/package.json

@@ -1,75 +0,0 @@
-{
-  "//": "Automatically generated to satisfy moog-require, do not edit",
-  "dependencies": {
-    "@apostrophecms/nunjucks": "^2.5.4",
-    "@sailshq/lodash": "^3.10.4",
-    "async": "^1.5.2",
-    "bless": "^3.0.3",
-    "bluebird": "^3.7.1",
-    "body-parser": "^1.19.0",
-    "cheerio": "^1.0.0-rc.10",
-    "chokidar": "^3.5.1",
-    "cli-progress": "^2.1.1",
-    "connect-flash": "^0.1.1",
-    "connect-multiparty": "^2.2.0",
-    "cookie-parser": "^1.4.5",
-    "credential": "^2.0.0",
-    "cuid": "^1.3.8",
-    "deep-get-set": "^0.1.1",
-    "diff": "^4.0.1",
-    "emulate-mongo-2-driver": "^1.2.3",
-    "express": "^4.17.1",
-    "express-session": "^1.17.0",
-    "glob": "^5.0.15",
-    "he": "^0.5.0",
-    "heic-to-jpeg-middleware": "^2.0.0",
-    "html-to-plaintext": "^0.1.1",
-    "html-to-text": "^5.1.1",
-    "i18n": "^0.8.6",
-    "is-wsl": "^2.2.0",
-    "joinr": "^1.0.2",
-    "jpeg-exif": "^1.1.4",
-    "launder": "^1.5.0",
-    "less": "^3.13.1",
-    "less-middleware": "^3.1.0",
-    "minimatch": "^3.0.4",
-    "mkdirp": "^1.0.3",
-    "moment": "^2.29.1",
-    "moog-require": "^1.1.0",
-    "nodemailer": "^6.6.2",
-    "oembetter": "^1.0.1",
-    "passport": "^0.3.2",
-    "passport-local": "^1.0.0",
-    "passport-totp": "0.0.2",
-    "path-to-regexp": "^1.7.0",
-    "performance-now": "^2.1.0",
-    "qs": "^6.9.6",
-    "regexp-quote": "0.0.0",
-    "request": "^2.88.2",
-    "request-promise": "^4.2.4",
-    "resolve": "^1.20.0",
-    "rimraf": "^2.7.1",
-    "sanitize-html": "^2.4.0",
-    "server-destroy": "^1.0.1",
-    "sluggo": "^0.2.0",
-    "syntax-error": "^1.3.0",
-    "thirty-two": "^1.0.2",
-    "tinycolor2": "^1.4.1",
-    "uglify-js": "^2.8.29",
-    "underscore.string": "^3.3.5",
-    "uploadfs": "^1.17.2",
-    "xregexp": "^2.0.0",
-    "yargs": "^3.32.0",
-    "apostrophe": "^2.0.0"
-  },
-  "devDependencies": {
-    "eslint": "^6.5.1",
-    "eslint-config-apostrophe": "^2.0.2",
-    "eslint-config-standard": "^11.0.0",
-    "eslint-plugin-import": "^2.18.2",
-    "eslint-plugin-node": "^6.0.1",
-    "eslint-plugin-promise": "^3.8.0",
-    "eslint-plugin-standard": "^3.1.0",
-    "mocha": "^7.0.0"
-  }
-}