apostrophe 3.63.1 → 3.63.3

package/CHANGELOG.md

@@ -1,5 +1,32 @@
 # Changelog
 
+## 3.63.3 (2024-03-14)
+
+### Adds
+
+* Add translation keys used by the multisite assembly module. This was released ahead of
+our regular schedule because the multisite module was released early with the expectation
+that these keys would be present.
+
+### Fixes
+
+* `field.help` and `field.htmlHelp` are now correctly translated when displayed in a tooltip.
+This was also an expectation for the multisite module.
+
+## 3.63.2 (2024-03-01)
+
+### Security
+
+* Always validate that method names passed to the `external-condition` API actually appear in `if` or `requiredIf`
+clauses for the field in question. This fix addresses a serious security risk in which arbitrary methods of
+Apostrophe modules could be called over the network, without arguments, and the results returned to the caller.
+While the lack of arguments mitigates the data exfiltration risk, it is possible to cause data loss by
+invoking the right method. Therefore this is an urgent upgrade for all Apostrophe 3.x users. Our thanks to the Michelin
+penetration test red team for disclosing this vulnerability. All are welcome to disclose security vulnerabilities
+in ApostropheCMS code via [security@apostrophecms.com](mailto:security@apostrophecms.com).
+* Disable the `alwaysIframe` query parameter of the oembed proxy. This feature was never used in Apostrophe core, and could be misused to carry out arbitrary GET requests in the context of an iframe, although it could not be used to exfiltrate any information other than the success or failure of the request, and the request was still performed by the user's browser only. Thanks to the Michelin team.
+* Remove vestigial A2 code relating to polymorphic relationship fields. The code in question had no relevance to the way such a feature would be implemented in A3, and could be used to cause a denial of service by crashing and restarting the process. Thanks to the Michelin team.
+
 ## 3.63.1 (2024-02-22)
 
 ### Security

package/defaults.js

@@ -4,6 +4,7 @@ module.exports = {
     '@apostrophecms/error': {},
     '@apostrophecms/util': {},
     '@apostrophecms/i18n': {},
+    '@apostrophecms/multisite-i18n': {},
     '@apostrophecms/task': {},
     '@apostrophecms/schema': {},
     '@apostrophecms/uploadfs': {},

package/modules/@apostrophecms/multisite-i18n/i18n/aposMultisite/en.json

@@ -0,0 +1,48 @@
+{
+  "shortName": "Short Name",
+  "shortNameHelp": "If the short name is \"niftypig\", then the temporary hostname of the site will be \"niftypig.{{ baseDomain }}\".",
+  "prodHostname": "Production Hostname",
+  "prodHostnameHelp": "We will also automatically add \"www.\" as an alternate. The final name of the site. Do not add unless the DNS is being changed or has been changed to point to this service",
+  "canonicalize": "Redirect to Production Hostname",
+  "canonicalizeHelp": "Do not activate this until you see that both DNS and HTTPS are working for the production hostname.",
+  "canonicalizeStatus": "Canonical Redirect Status Code",
+  "canonicalizeStatusHelp": "\"Moved Permanently\" is best for SEO, but you should make sure you are happy with the results using \"Moved Temporarily\" first to avoid caching of bad redirects.",
+  "hostnamesArray": "Hostnames",
+  "hostnamesArrayHelp": "All valid hostnames for the site must be on this list, for instance both example.com and www.example.com",
+  "devBaseUrl": "Development Base URL",
+  "devBaseUrlHelp": "like http://localhost:3000",
+  "stagingBaseUrl": "Staging Base URL",
+  "stagingBaseUrlHelp": "like http://project.staging.org",
+  "prodBaseUrl": "Production Base URL",
+  "prodBaseUrlHelp": "like https://myproject.com",
+  "localeName": "Name",
+  "localeNameHelp": "Like en or en-GB. NOTE: the name may be changed but renaming a locale can be a slow operation. Consider changing just the label, prefix and hostname.",
+  "localeLabel": "Label",
+  "localeLabelHelp": "Like British English",
+  "localePrefix": "Prefix",
+  "localePrefixHelp": "Like /en",
+  "localeSeparateHost": "Separate Host",
+  "localeSeparateHostHelp": "This locale requires a separate hostname, e.g. fr.example.com in staging or example.fr in production.",
+  "localeStagingSubdomain": "Staging Subdomain",
+  "localeStagingSubdomainHelp": "Custom subdomain used in staging. Multiple locales can be configured with the same subdomain in order to group them on it, for instance \"canada.example.com/en\" and \"canada.example.com/fr\". Note that all but one locale must have a prefix for distinction. If left blank, the locale name will be used as the subdomain, outside of production.",
+  "localeSeparateProductionHostname": "Separate Production Hostname",
+  "localeSeparateProductionHostnameHelp": "Like example.fr. If not set, defaults to LOCALE.SHORTNAME.{{ baseDomain }}, e.g. fr.somesite.{{ baseDomain }}.",
+  "localePrivate": "Private locale",
+  "localePrivateHelp": "This locale is private",
+  "adminPassword": "Admin Password",
+  "adminPasswordHelp": "Set password for the \"admin\" user of the new site. For pre-existing sites, leave blank for no change.",
+  "redirect": "Redirect Entire Site",
+  "redirectHelp": "Redirect all traffic for the site to another URL.",
+  "redirectUrl": "Redirect To...",
+  "redirectUrlHelp": "Redirect traffic to this URL.",
+  "redirectPreservePath": "Preserve the Path when Redirecting",
+  "redirectPreservePathHelp": "If the URL ends with /something, add /something to the redirect URL as well. Otherwise, all traffic is redirected to a single place.",
+  "redirectStatus": "Redirect Status Code",
+  "redirectStatusHelp": "\"Moved Permanently\" is best for SEO, but you should test thoroughly first with \"Moved Temporarily\" to avoid caching of bad redirects.",
+  "emptyAdminPasswordError": "You must fill out the admin password field.",
+  "shortnameError": "The short name of the site must not contain dots, a protocol or spaces. It is a short name like \"nifty\" (without quotes) and will be used as a \"working name\" for a temporary subdomain for your site until it is launched.",
+  "shortnameInUseError": "That short name is already in use by another site.",
+  "productionHostnameInUseError": "That Production Hostname is already in use by another site.",
+  "renamingLocale": "Renaming locale {{ oldName }} to {{ newName }} in site {{ siteName }}, access to the site is paused, this may take time",
+  "localeRenamed": "Locale renamed"
+}

package/modules/@apostrophecms/multisite-i18n/index.js

@@ -0,0 +1,7 @@
+module.exports = {
+  i18n: {
+    aposMultisite: {
+      browser: true
+    }
+  }
+};

package/modules/@apostrophecms/oembed/index.js

@@ -67,7 +67,9 @@ module.exports = {
       //
       // If `options.alwaysIframe` is true, the result is a simple
       // iframe of the URL. If `options.iframeHeight` is set, the iframe
-      // has that height in pixels, otherwise it is left to CSS.
+      // has that height in pixels, otherwise it is left to CSS. These iframe-related
+      // options are not used in core Apostrophe and remain available to project-level
+      // application code for backwards compatibility purposes only.
       //
       // The `options` object is passed on to `oembetter.fetch`.
       //
@@ -127,6 +129,9 @@ module.exports = {
         await self.apos.cache.set('@apostrophecms/oembed', key, response, self.options.cacheLifetime);
         return response;
       },
+      // Not currently used. Present for backwards compatibility
+      // in the event that application code used it directly.
+      //
       // Given a URL, return an oembed response for it
       // which just iframes the URL given. Fetches the page
       // first to get the title property.
@@ -219,8 +224,10 @@ module.exports = {
         async query(req) {
           const url = self.apos.launder.string(req.query.url);
           const options = {
-            alwaysIframe: self.apos.launder.boolean(req.query.alwaysIframe),
-            iframeHeight: self.apos.launder.integer(req.query.iframeHeight)
+            // This feature is no longer available via the
+            // oembed proxy because it posed an SSRF risk and
+            // was never used in core Apostrophe widgets
+            alwaysIframe: false
           };
 
           const result = await self.query(req, url, options);

package/modules/@apostrophecms/polymorphic-type/index.js

@@ -1,4 +1,3 @@
-const _ = require('lodash');
 const migrations = require('./lib/migrations.js');
 
 module.exports = {
@@ -14,23 +13,5 @@ module.exports = {
     return {
       ...migrations(self)
     };
-  },
-  routes(self) {
-    return {
-      post: {
-        polymorphicChooserModal(req, res) {
-          const limit = self.apos.launder.integer(req.body.limit);
-          const field = req.body.field;
-          const types = _.map(field.withType, function (name) {
-            return self.apos.doc.getManager(name);
-          });
-          return self.send(req, 'chooserModal', {
-            options: self.options,
-            limit: limit,
-            types: types
-          });
-        }
-      }
-    };
   }
 };

package/modules/@apostrophecms/schema/index.js

@@ -709,6 +709,7 @@ module.exports = {
         }
         if (hasParenthesis && !methodKey.endsWith('()')) {
           self.apos.util.warn(`The method "${methodDefinition}" defined in the "${fieldName}" field should be written without argument: "${methodDefinition}()".`);
+          methodKey = methodDefinition + '()';
         }
 
         const [ methodName, moduleName = fieldModuleName ] = methodDefinition
@@ -1743,7 +1744,11 @@ module.exports = {
           const conditionKey = self.apos.launder.string(req.query.conditionKey);
 
           const field = self.getFieldById(fieldId);
-
+          const allowedKeys = getFieldExternalConditionKeys(field);
+          // We must tolerate arguments at this stage as we only warn about them later
+          if (!allowedKeys.includes(conditionKey.replace(/\(.*\)/, '()'))) {
+            throw self.apos.error('forbidden', `${conditionKey} is not registered as an external condition.`);
+          }
           try {
             const result = await self.evaluateMethod(req, conditionKey, field.name, field.moduleName, docId);
             return { result };
@@ -1776,3 +1781,27 @@ module.exports = {
     };
   }
 };
+
+function getFieldExternalConditionKeys(field) {
+  const conditionTypes = [ 'if', 'requiredIf' ];
+  return [
+    ...new Set(conditionTypes.map(conditionType => getConditionTypeExternalConditionKeys(field[conditionType] || {})).flat())
+  ];
+}
+
+function getConditionTypeExternalConditionKeys(conditions) {
+  let results = [];
+  if (conditions.$or) {
+    results = conditions.$or.map(getConditionTypeExternalConditionKeys).flat();
+  }
+  for (const key of Object.keys(conditions)) {
+    if (key === '$or') {
+      results = [ ...results, conditions.$or.map(getConditionTypeExternalConditionKeys).flat() ];
+    } else {
+      if (key.endsWith('()')) {
+        results.push(key);
+      }
+    }
+  }
+  return results;
+}

package/modules/@apostrophecms/schema/ui/apos/components/AposInputWrapper.vue

@@ -38,7 +38,7 @@
               <AposIndicator
                 icon="help-circle-icon"
                 class="apos-field__help-tooltip__icon"
-                :tooltip="field.help || field.htmlHelp"
+                :tooltip="$t(field.help || field.htmlHelp)"
                 :icon-size="11"
                 icon-color="var(--a-base-4)"
               />

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "apostrophe",
-  "version": "3.63.1",
+  "version": "3.63.3",
   "description": "The Apostrophe Content Management System.",
   "main": "index.js",
   "scripts": {

package/test/schemas.js

@@ -2052,7 +2052,10 @@ describe('Schemas', function() {
   it('should call the evaluate-external-condition API successfully', async function() {
     apos.schema.fieldsById['some-field-id'] = {
       name: 'someField',
-      moduleName: 'external-condition'
+      moduleName: 'external-condition',
+      if: {
+        'externalCondition()': 'yes'
+      }
     };
 
     const res = await apos.http.get('/api/v1/@apostrophecms/schema/evaluate-external-condition?fieldId=some-field-id&docId=some-doc-id&conditionKey=externalCondition()', {});
@@ -2062,7 +2065,10 @@ describe('Schemas', function() {
   it('should warn when an argument is passed in the external condition key via the evaluate-external-condition API', async function() {
     apos.schema.fieldsById['some-field-id'] = {
       name: 'someField',
-      moduleName: 'external-condition'
+      moduleName: 'external-condition',
+      if: {
+        'externalCondition()': 'yes'
+      }
     };
 
     const res = await apos.http.get('/api/v1/@apostrophecms/schema/evaluate-external-condition?fieldId=some-field-id&docId=some-doc-id&conditionKey=externalCondition(letsNotArgue)', {});
@@ -2081,7 +2087,7 @@ describe('Schemas', function() {
       await apos.http.get('/api/v1/@apostrophecms/schema/evaluate-external-condition?fieldId=some-field-id&docId=some-doc-id&conditionKey=externalCondition()', {});
     } catch (error) {
       assert(error.status = 400);
-      assert(error.body.message === 'The "unknown-module" module defined in the "someField" field does not exist.');
+      assert.strictEqual(error.body.message, 'externalCondition() is not registered as an external condition.');
       return;
     }
     throw new Error('should have thrown');
@@ -2097,7 +2103,7 @@ describe('Schemas', function() {
       await apos.http.get('/api/v1/@apostrophecms/schema/evaluate-external-condition?fieldId=some-field-id&docId=some-doc-id&conditionKey=unknownMethod()', {});
     } catch (error) {
       assert(error.status = 400);
-      assert(error.body.message === 'The "unknownMethod" method from "external-condition" module defined in the "someField" field does not exist.');
+      assert.strictEqual(error.body.message, 'unknownMethod() is not registered as an external condition.');
       return;
     }
     throw new Error('should have thrown');