apostrophe 2.223.0 → 2.224.0

package/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## 2.224.0 (2023-02-01)
+
+### Adds
+
+* If about to 404, redirect uppercase URLs automatically to their lowercase version - can be disabled with `redirectFailedUpperCaseUrls: false` in `apostrophe-pages/index.js` options.
+
+## 2.223.1 (2022-12-21)
+
+### Fixes
+
+* Replace [`credential`](https://www.npmjs.com/package/credential) package with [`credentials`](https://www.npmjs.com/package/credentials) to fix the [`mout` Prototype Pollution vulnerability scanner warning](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-7792). There was no actual vulnerability in Apostrophe or credential due to the way the module was used.
+* Fix vulnerability scanner warning by removing package `deep-get-set` used in areas. There was no actual vulnerability in Apostrophe due to the way the module was used.
+
 ## 2.223.0 (2022-11-28)
 
 ### Adds

package/lib/modules/apostrophe-areas/lib/api.js

@@ -1,6 +1,5 @@
 var _ = require('@sailshq/lodash');
 var async = require('async');
-var deep = require('deep-get-set');
 
 module.exports = function(self, options) {
 
@@ -213,13 +212,13 @@ module.exports = function(self, options) {
         // and is not an area.
 
         if (components.length > 1) {
-          var existing = deep(doc, dotPath);
+          var existing = _.get(doc, dotPath);
           if (existing && (existing.type !== 'area')) {
             return callback(new Error('forbidden'));
           }
         }
 
-        var existingArea = deep(doc, dotPath);
+        var existingArea = _.get(doc, dotPath);
         var existingItems = (existingArea && existingArea.items) || [];
         if (_.isEqual(self.apos.utils.clonePermanent(items), self.apos.utils.clonePermanent(existingItems))) {
           // No real change — don't waste a version and clutter the database.
@@ -228,7 +227,7 @@ module.exports = function(self, options) {
           return setImmediate(callback);
         }
 
-        deep(doc, dotPath, {
+        _.set(doc, dotPath, {
           type: 'area',
           items: items
         });

package/lib/modules/apostrophe-login/index.js

@@ -289,7 +289,7 @@ module.exports = {
     // Users with the `disabled` property set to true may not log in.
     // Passwords are verified via the `verifyPassword` method of
     // [apostrophe-users](/reference/modules/apostrophe-users), which is
-    // powered by the [credential](https://npmjs.org/package/credential) module.
+    // powered by the [credentials](https://npmjs.org/package/credentials) module.
 
     self.enableLocalStrategy = function() {
       self.passport.use(new LocalStrategy(self.verifyLogin));

package/lib/modules/apostrophe-pages/index.js

@@ -255,6 +255,8 @@ module.exports = {
 
   alias: 'pages',
 
+  redirectFailedUpperCaseUrls: true,
+
   types: [
     {
       // So that the minimum parked pages don't result in an error when home has no manager. -Tom
@@ -324,12 +326,14 @@ module.exports = {
         name: 'trash',
         label: 'Trash'
       }
-    ].concat(options.apos.docs.trashInSchema ? [
-      {
-        name: 'rescue',
-        label: 'Rescue'
-      }
-    ] : []).concat([
+    ].concat(options.apos.docs.trashInSchema
+      ? [
+        {
+          name: 'rescue',
+          label: 'Rescue'
+        }
+      ]
+      : []).concat([
       {
         name: 'publish',
         label: 'Publish'

package/lib/modules/apostrophe-pages/lib/api.js

@@ -429,7 +429,13 @@ module.exports = function(self, options) {
           .trash(null)
           .published(null)
           .areas(false)
-          .ancestors(_.assign({ depth: 1, trash: null, published: null, areas: false, permission: false }, options.filters || {}))
+          .ancestors(_.assign({
+            depth: 1,
+            trash: null,
+            published: null,
+            areas: false,
+            permission: false
+          }, options.filters || {}))
           .applyFilters(options.filters || {})
           .toObject(function(err, page) {
             if (err) {
@@ -460,7 +466,13 @@ module.exports = function(self, options) {
           .trash(null)
           .published(null)
           .areas(false)
-          .ancestors(_.assign({ depth: 1, trash: null, published: null, areas: false, permission: false }, options.filters || {}))
+          .ancestors(_.assign({
+            depth: 1,
+            trash: null,
+            published: null,
+            areas: false,
+            permission: false
+          }, options.filters || {}))
           .applyFilters(options.filters || {})
           .toObject(function(err, page) {
             if (err) {
@@ -516,7 +528,11 @@ module.exports = function(self, options) {
       function nudgeNewPeers(callback) {
         // Nudge down the pages that should now follow us
         // Always remember multi: true
-        self.apos.docs.db.update(mergeCriteria({ path: self.matchDescendants(parent), level: parent.level + 1, rank: { $gte: rank } }), { $inc: { rank: 1 } }, { multi: true }, function(err, count) {
+        self.apos.docs.db.update(mergeCriteria({
+          path: self.matchDescendants(parent),
+          level: parent.level + 1,
+          rank: { $gte: rank }
+        }), { $inc: { rank: 1 } }, { multi: true }, function(err, count) {
           return callback(err);
         });
       }
@@ -738,7 +754,12 @@ module.exports = function(self, options) {
       [
         function getPage(cb) {
         // check permissions and load page to trash/untrash
-          return self.find(req, { _id: _id }).permission('edit').trash(null).ancestors({ depth: 1, published: null, trash: null, areas: false }).toObject((err, _page) => {
+          return self.find(req, { _id: _id }).permission('edit').trash(null).ancestors({
+            depth: 1,
+            published: null,
+            trash: null,
+            areas: false
+          }).toObject((err, _page) => {
             page = _page;
             tree.push(page);
             parent = page._ancestors[0];
@@ -876,14 +897,17 @@ module.exports = function(self, options) {
     var parent;
     var changed = [];
 
-    return async.series([findTrash, findPage, movePage], function(err) {
+    return async.series([ findTrash, findPage, movePage ], function(err) {
       return callback(err, parent && parent.slug, changed);
     });
 
     function findTrash(callback) {
       // Always only one trash page at level 1, so we don't have
       // to hardcode the slug
-      return self.find(req, { trash: true, level: 1 })
+      return self.find(req, {
+        trash: true,
+        level: 1
+      })
         .permission(false)
         .published(null)
         .trash(null)
@@ -899,7 +923,12 @@ module.exports = function(self, options) {
 
     function findPage(callback) {
       // Also checks permissions
-      return self.find(req, { _id: _id }).permission('edit').ancestors({ depth: 1, published: null, trash: null, areas: false }).toObject(function(err, _page) {
+      return self.find(req, { _id: _id }).permission('edit').ancestors({
+        depth: 1,
+        published: null,
+        trash: null,
+        areas: false
+      }).toObject(function(err, _page) {
         if (err || (!_page)) {
           return callback('Page not found');
         }
@@ -943,7 +972,12 @@ module.exports = function(self, options) {
 
     function findPage(callback) {
       // Also checks permissions
-      return self.find(req, { _id: _id }).permission('publish').trash(true).ancestors({ depth: 1, published: null, trash: null, areas: false }).toObject(function(err, _page) {
+      return self.find(req, { _id: _id }).permission('publish').trash(true).ancestors({
+        depth: 1,
+        published: null,
+        trash: null,
+        areas: false
+      }).toObject(function(err, _page) {
         if (err || (!_page)) {
           return callback('Page not found');
         }
@@ -1134,6 +1168,12 @@ module.exports = function(self, options) {
       if (self.isFound(req)) {
         return callback(null);
       }
+
+      if (options.redirectFailedUpperCaseUrls && /[A-Z]/.test(req.path)) {
+        req.redirect = self.apos.urls.build(req.path.toLowerCase(), req.query);
+        return callback(null);
+      }
+
       req.data.suggestedSearch = self.apos.utils.slugify(req.url, { separator: ' ' });
       req.notFound = true;
       req.res.statusCode = 404;
@@ -1141,7 +1181,7 @@ module.exports = function(self, options) {
       // Give the browser a chance to do something interesting with a 404.
       // This is often a better idea than doing a heavy fallback search
       // server side, because those are triggered heavily by bots
-      req.browserCall("apos.emit('notfound', ?)", {
+      req.browserCall('apos.emit(\'notfound\', ?)', {
         suggestedSearch: req.data.suggestedSearch,
         url: req.url
       });
@@ -1421,7 +1461,10 @@ module.exports = function(self, options) {
 
   self.ensurePathIndex = function(callback) {
     var params = self.getPathIndexParams();
-    return self.apos.docs.db.ensureIndex(params, { unique: true, sparse: true }, callback);
+    return self.apos.docs.db.ensureIndex(params, {
+      unique: true,
+      sparse: true
+    }, callback);
   };
 
   self.getPathIndexParams = function() {
@@ -1502,8 +1545,14 @@ module.exports = function(self, options) {
     var matchParentPathPrefix = new RegExp('^' + self.apos.utils.regExpQuote(originalPath + '/'));
     var matchParentSlugPrefix = new RegExp('^' + self.apos.utils.regExpQuote(originalSlug + '/'));
     var done = false;
-    var cursor = self.apos.docs.db.findWithProjection(mergeCriteria({ path: matchParentPathPrefix }), { slug: 1, path: 1, level: 1 });
-    return async.whilst(function() { return !done; }, function(callback) {
+    var cursor = self.apos.docs.db.findWithProjection(mergeCriteria({ path: matchParentPathPrefix }), {
+      slug: 1,
+      path: 1,
+      level: 1
+    });
+    return async.whilst(function() {
+      return !done;
+    }, function(callback) {
       return cursor.nextObject(function(err, desc) {
         if (err) {
           return callback(err);
@@ -1996,10 +2045,10 @@ module.exports = function(self, options) {
   self.validateTypeChoices = function() {
     _.each(self.typeChoices, function(choice) {
       if (!choice.name) {
-        throw new Error("One of the page types specified for your 'types' option has no 'name' property.");
+        throw new Error('One of the page types specified for your \'types\' option has no \'name\' property.');
       }
       if (!choice.label) {
-        throw new Error("One of the page types specified for your 'types' option has no 'label' property.");
+        throw new Error('One of the page types specified for your \'types\' option has no \'label\' property.');
       }
     });
   };
@@ -2060,7 +2109,10 @@ module.exports = function(self, options) {
 
   self.removeSlugFromHomepageSchema = function(page, schema) {
     if (page.level === 0) {
-      schema = _.reject(schema, { type: 'slug', name: 'slug' });
+      schema = _.reject(schema, {
+        type: 'slug',
+        name: 'slug'
+      });
     }
     return schema;
   };

package/lib/modules/apostrophe-users/index.js

@@ -37,7 +37,7 @@
 //
 // For security the `password` property is not stored as plaintext and
 // is not kept in the aposDocs collection. Instead, it is hashed and salted
-// using the `credential` module and the resulting hash is stored
+// using the `credentials` module and the resulting hash is stored
 // in a separate `aposUsersSafe` collection.
 //
 // Additional secrets may be hashed in this way. If you set the
@@ -62,7 +62,7 @@
 
 var async = require('async');
 var _ = require('@sailshq/lodash');
-var credential = require('credential');
+var credentials = require('credentials');
 var Promise = require('bluebird');
 
 module.exports = {
@@ -82,7 +82,6 @@ module.exports = {
   slugPrefix: 'user-',
 
   afterConstruct: function(self, callback) {
-    self.initializeCredential();
     self.addOurTrashPrefixFields();
     self.enableSecrets();
     self.addNonNullJoinMigration();
@@ -447,14 +446,17 @@ module.exports = {
       if (!doc[secret]) {
         return callback(null);
       }
-      return self.pw.hash(doc[secret], function(err, hash) {
-        if (err) {
-          return callback(err);
-        }
-        delete doc[secret];
-        safeUser[secret + 'Hash'] = hash;
-        return callback(null);
-      });
+      return credentials
+        .hash(doc[secret])
+        .then(hash => {
+          const annotatedHash = JSON.stringify(
+            Object.assign(JSON.parse(hash), { credentials3: true })
+          );
+          delete doc[secret];
+          safeUser[secret + 'Hash'] = annotatedHash;
+          callback(null);
+        })
+        .catch(callback);
     };
 
     // Verify the given password by checking it against the
@@ -473,7 +475,7 @@ module.exports = {
     // in `options.secrets` when configuring this module or via
     // `addSecrets` are not stored as plaintext and are not kept in the
     // aposDocs collection. Instead, they are hashed and salted using the
-    // `credential` module and the resulting hash is stored
+    // `credentials` module and the resulting hash is stored
     // in a separate `aposUsersSafe` collection. This method
     // can be used to verify that `attempt` matches the
     // previously hashed value for the property named `secret`,
@@ -504,18 +506,33 @@ module.exports = {
             if (!safeUser) {
               return callback(new Error('No such user in the safe.'));
             }
-            return self.pw.verify(safeUser[secret + 'Hash'], attempt, function(err, isValid) {
-              if (err) {
-                return callback(err);
-              }
-              if (!isValid) {
-                return callback(new Error('Incorrect ' + secret));
-              }
-              return callback(null);
-            });
+            return credentials
+              .verify(migrate(safeUser[secret + 'Hash']), attempt)
+              .then(isValid => {
+                if (!isValid) {
+                  throw new Error('Incorrect ' + secret);
+                }
+                callback(null);
+              })
+              .catch(callback);
           }
         }, callback);
       }
+      function migrate(json) {
+        const data = JSON.parse(json);
+
+        // Do not re-encode salt generated by credentials@3
+        if (data.credentials3) {
+          return json;
+        }
+
+        return JSON.stringify(
+          Object.assign(
+            data,
+            { salt: Buffer.from(data.salt, 'utf8').toString('base64') }
+          )
+        );
+      }
     };
 
     // Forget the secret associated with the property name
@@ -651,11 +668,6 @@ module.exports = {
       });
     };
 
-    // Initialize the [credential](https://npmjs.org/package/credential) module.
-    self.initializeCredential = function() {
-      self.pw = credential();
-    };
-
     self.apos.tasks.add('apostrophe-users', 'add',
       'Usage: node app apostrophe-users:add username groupname\n\n' +
       'This adds a new user and assigns them to a group.\n' +

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "apostrophe",
-  "version": "2.223.0",
+  "version": "2.224.0",
   "description": "The Apostrophe Content Management System.",
   "main": "index.js",
   "scripts": {
@@ -36,9 +36,8 @@
     "connect-flash": "^0.1.1",
     "connect-multiparty": "^2.2.0",
     "cookie-parser": "^1.4.5",
-    "credential": "^2.0.0",
+    "credentials": "^3.0.2",
     "cuid": "^1.3.8",
-    "deep-get-set": "^1.1.1",
     "diff": "^4.0.1",
     "emulate-mongo-2-driver": "^1.2.3",
     "express": "^4.17.1",

package/test/pages.js

@@ -433,7 +433,6 @@ describe('Pages', function() {
       assert(body.match(/Home: \//));
       // Does the response prove that data.home._children was available?
       assert(body.match(/Tab: \/another-parent/));
-      // console.log(body);
       return done();
     });
   });
@@ -447,7 +446,6 @@ describe('Pages', function() {
       assert(body.match(/Home: \//));
       // Does the response prove that data.home._children was available?
       assert(body.match(/Tab: \/another-parent/));
-      // console.log(body);
       return done();
     });
   });
@@ -475,6 +473,29 @@ describe('Pages', function() {
     });
   });
 
+  it('should redirect to url with path in lower case by default', function(done) {
+    return request('http://localhost:7900/chiLD', function (err, response, body) {
+      assert(!err);
+      assert.equal(response.statusCode, 200);
+      assert(body.match(/Sing to me, Oh Muse./));
+      assert(body.match(/Home: \//));
+      assert(body.match(/Tab: \/another-parent/));
+      return done();
+    });
+  });
+
+  it('should not redirect to url with path in lower case if the option is disabled', function(done) {
+    apos.pages.options.redirectFailedUpperCaseUrls = false;
+
+    return request('http://localhost:7900/chiLD', function (err, response, body) {
+      assert(!err);
+      assert.equal(response.statusCode, 404);
+      apos.pages.options.redirectFailedUpperCaseUrls = true;
+      return done();
+    });
+
+  });
+
   it('should detect that the home page is an ancestor of any page except itself', function() {
     assert(
       apos.pages.isAncestorOf({
@@ -561,8 +582,8 @@ describe('Pages', function() {
       assert.equal(page.path, '/newish-page');
       done();
     });
-  });
 
+  });
 });
 
 describe('Pages with trashInSchema', function() {

package/test/users.js

@@ -103,6 +103,35 @@ describe('Users', function() {
       });
   });
 
+  it('should verify a user password created with former credential package', function(done) {
+    var req = apos.tasks.getReq();
+    var user = apos.users.newInstance();
+
+    user.firstName = 'Old';
+    user.lastName = 'User';
+    user.title = 'Old User';
+    user.username = 'olduser';
+    user.password = 'passwordThatThroughOldCredentialPackageHashing';
+    user.email = 'old@user.com';
+
+    apos.users.insert(req, user, async function(err) {
+      assert(!err);
+
+      // A password hash that were generated by the former credential package:
+      var oldPasswordHashSimulated =
+        '{"hash":"HKBAyPWKKnKnXzF0yflRUEeeJZk1njKaX3IqT6Ml056OdMWIsDRqfJeHCqxI3jA9HEFNzuPEhw0m98dA8ju8xRpj","salt":"P2X4+Ex0rrHSPBRv0TCGOTqXmuT2JDspNLc/0Uln6jcZWACUpgBz+DDpfP9DFZcPG9cMlwMaHEKw3MVq02af8RSn","keyLength":66,"hashMethod":"pbkdf2","iterations":2853010}';
+
+      apos.users.safe.update({ username: 'olduser' }, { $set: { passwordHash: oldPasswordHashSimulated } }, function() {
+        apos.users.verifyPassword(user, 'passwordThatThroughOldCredentialPackageHashing', function(err) {
+          assert(!err);
+          apos.users.safe.remove({ username: 'olduser' }, function() {
+            done();
+          });
+        });
+      });
+    });
+  });
+
   it('should not verify an incorrect user password', function(done) {
     apos.users.find(apos.tasks.getReq(), { username: 'JaneD' })
       .toObject(function(err, user) {