npm - apostrophe - Versions diffs - 3.63.0 → 3.63.2 - Mend

apostrophe 3.63.0 → 3.63.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/CHANGELOG.md +20 -0
package/modules/@apostrophecms/oembed/index.js +10 -3
package/modules/@apostrophecms/polymorphic-type/index.js +0 -19
package/modules/@apostrophecms/schema/index.js +30 -1
package/package.json +2 -2
package/test/schemas.js +10 -4

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,25 @@
 # Changelog
+## 3.63.2 (2024-03-01)
+### Security
+* Always validate that method names passed to the `external-condition` API actually appear in `if` or `requiredIf`
+clauses for the field in question. This fix addresses a serious security risk in which arbitrary methods of
+Apostrophe modules could be called over the network, without arguments, and the results returned to the caller.
+While the lack of arguments mitigates the data exfiltration risk, it is possible to cause data loss by
+invoking the right method. Therefore this is an urgent upgrade for all Apostrophe 3.x users. Our thanks to the Michelin
+penetration test red team for disclosing this vulnerability. All are welcome to disclose security vulnerabilities
+in ApostropheCMS code via [security@apostrophecms.com](mailto:security@apostrophecms.com).
+* Disable the `alwaysIframe` query parameter of the oembed proxy. This feature was never used in Apostrophe core, and could be misused to carry out arbitrary GET requests in the context of an iframe, although it could not be used to exfiltrate any information other than the success or failure of the request, and the request was still performed by the user's browser only. Thanks to the Michelin team.
+* Remove vestigial A2 code relating to polymorphic relationship fields. The code in question had no relevance to the way such a feature would be implemented in A3, and could be used to cause a denial of service by crashing and restarting the process. Thanks to the Michelin team.
+## 3.63.1 (2024-02-22)
+### Security
+* Bump dependency on `sanitize-html` to `^2.12.1` at a minimum, to ensure that `npm update apostrophe` is sufficient to guarantee a security update is installed. This security update prevents specially crafted HTML documents from revealing the existence or non-existence of files on the server. The vulnerability did not expose any other information about those files. Thanks to the [Snyk Security team](https://snyk.io/) for the disclosure and to [Dylan Armstrong](https://dylan.is/) for the fix.
 ## 3.63.0 (2024-02-21)
 ### Adds

package/modules/@apostrophecms/oembed/index.js CHANGED Viewed

@@ -67,7 +67,9 @@ module.exports = {
       //
       // If `options.alwaysIframe` is true, the result is a simple
       // iframe of the URL. If `options.iframeHeight` is set, the iframe
-      // has that height in pixels, otherwise it is left to CSS.
+      // has that height in pixels, otherwise it is left to CSS. These iframe-related
+      // options are not used in core Apostrophe and remain available to project-level
+      // application code for backwards compatibility purposes only.
       //
       // The `options` object is passed on to `oembetter.fetch`.
       //
@@ -127,6 +129,9 @@ module.exports = {
         await self.apos.cache.set('@apostrophecms/oembed', key, response, self.options.cacheLifetime);
         return response;
       },
+      // Not currently used. Present for backwards compatibility
+      // in the event that application code used it directly.
+      //
       // Given a URL, return an oembed response for it
       // which just iframes the URL given. Fetches the page
       // first to get the title property.
@@ -219,8 +224,10 @@ module.exports = {
         async query(req) {
           const url = self.apos.launder.string(req.query.url);
           const options = {
-            alwaysIframe: self.apos.launder.boolean(req.query.alwaysIframe),
-            iframeHeight: self.apos.launder.integer(req.query.iframeHeight)
+            // This feature is no longer available via the
+            // oembed proxy because it posed an SSRF risk and
+            // was never used in core Apostrophe widgets
+            alwaysIframe: false
           };
           const result = await self.query(req, url, options);

package/modules/@apostrophecms/polymorphic-type/index.js CHANGED Viewed

@@ -1,4 +1,3 @@
-const _ = require('lodash');
 const migrations = require('./lib/migrations.js');
 module.exports = {
@@ -14,23 +13,5 @@ module.exports = {
     return {
       ...migrations(self)
     };
-  },
-  routes(self) {
-    return {
-      post: {
-        polymorphicChooserModal(req, res) {
-          const limit = self.apos.launder.integer(req.body.limit);
-          const field = req.body.field;
-          const types = _.map(field.withType, function (name) {
-            return self.apos.doc.getManager(name);
-          });
-          return self.send(req, 'chooserModal', {
-            options: self.options,
-            limit: limit,
-            types: types
-          });
-        }
-      }
-    };
   }
 };

package/modules/@apostrophecms/schema/index.js CHANGED Viewed

@@ -709,6 +709,7 @@ module.exports = {
         }
         if (hasParenthesis && !methodKey.endsWith('()')) {
           self.apos.util.warn(`The method "${methodDefinition}" defined in the "${fieldName}" field should be written without argument: "${methodDefinition}()".`);
+          methodKey = methodDefinition + '()';
         }
         const [ methodName, moduleName = fieldModuleName ] = methodDefinition
@@ -1743,7 +1744,11 @@ module.exports = {
           const conditionKey = self.apos.launder.string(req.query.conditionKey);
           const field = self.getFieldById(fieldId);
+          const allowedKeys = getFieldExternalConditionKeys(field);
+          // We must tolerate arguments at this stage as we only warn about them later
+          if (!allowedKeys.includes(conditionKey.replace(/\(.*\)/, '()'))) {
+            throw self.apos.error('forbidden', `${conditionKey} is not registered as an external condition.`);
+          }
           try {
             const result = await self.evaluateMethod(req, conditionKey, field.name, field.moduleName, docId);
             return { result };
@@ -1776,3 +1781,27 @@ module.exports = {
     };
   }
 };
+function getFieldExternalConditionKeys(field) {
+  const conditionTypes = [ 'if', 'requiredIf' ];
+  return [
+    ...new Set(conditionTypes.map(conditionType => getConditionTypeExternalConditionKeys(field[conditionType] || {})).flat())
+  ];
+}
+function getConditionTypeExternalConditionKeys(conditions) {
+  let results = [];
+  if (conditions.$or) {
+    results = conditions.$or.map(getConditionTypeExternalConditionKeys).flat();
+  }
+  for (const key of Object.keys(conditions)) {
+    if (key === '$or') {
+      results = [ ...results, conditions.$or.map(getConditionTypeExternalConditionKeys).flat() ];
+    } else {
+      if (key.endsWith('()')) {
+        results.push(key);
+      }
+    }
+  }
+  return results;
+}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "apostrophe",
-  "version": "3.63.0",
+  "version": "3.63.2",
   "description": "The Apostrophe Content Management System.",
   "main": "index.js",
   "scripts": {
@@ -122,7 +122,7 @@
     "regexp-quote": "0.0.0",
     "resolve": "^1.19.0",
     "resolve-from": "^5.0.0",
-    "sanitize-html": "^2.7.1",
+    "sanitize-html": "^2.12.1",
     "sass": "^1.52.3",
     "sass-loader": "^10.1.1",
     "server-destroy": "^1.0.1",

package/test/schemas.js CHANGED Viewed

@@ -2052,7 +2052,10 @@ describe('Schemas', function() {
   it('should call the evaluate-external-condition API successfully', async function() {
     apos.schema.fieldsById['some-field-id'] = {
       name: 'someField',
-      moduleName: 'external-condition'
+      moduleName: 'external-condition',
+      if: {
+        'externalCondition()': 'yes'
+      }
     };
     const res = await apos.http.get('/api/v1/@apostrophecms/schema/evaluate-external-condition?fieldId=some-field-id&docId=some-doc-id&conditionKey=externalCondition()', {});
@@ -2062,7 +2065,10 @@ describe('Schemas', function() {
   it('should warn when an argument is passed in the external condition key via the evaluate-external-condition API', async function() {
     apos.schema.fieldsById['some-field-id'] = {
       name: 'someField',
-      moduleName: 'external-condition'
+      moduleName: 'external-condition',
+      if: {
+        'externalCondition()': 'yes'
+      }
     };
     const res = await apos.http.get('/api/v1/@apostrophecms/schema/evaluate-external-condition?fieldId=some-field-id&docId=some-doc-id&conditionKey=externalCondition(letsNotArgue)', {});
@@ -2081,7 +2087,7 @@ describe('Schemas', function() {
       await apos.http.get('/api/v1/@apostrophecms/schema/evaluate-external-condition?fieldId=some-field-id&docId=some-doc-id&conditionKey=externalCondition()', {});
     } catch (error) {
       assert(error.status = 400);
-      assert(error.body.message === 'The "unknown-module" module defined in the "someField" field does not exist.');
+      assert.strictEqual(error.body.message, 'externalCondition() is not registered as an external condition.');
       return;
     }
     throw new Error('should have thrown');
@@ -2097,7 +2103,7 @@ describe('Schemas', function() {
       await apos.http.get('/api/v1/@apostrophecms/schema/evaluate-external-condition?fieldId=some-field-id&docId=some-doc-id&conditionKey=unknownMethod()', {});
     } catch (error) {
       assert(error.status = 400);
-      assert(error.body.message === 'The "unknownMethod" method from "external-condition" module defined in the "someField" field does not exist.');
+      assert.strictEqual(error.body.message, 'unknownMethod() is not registered as an external condition.');
       return;
     }
     throw new Error('should have thrown');