apostrophe 4.30.0-alpha.1 → 4.30.0

package/test/rich-text-widget.js

@@ -293,4 +293,204 @@ describe('Rich Text Widget', function () {
     assert(text2.includes('src="/uploads/attachments/attachment-1-attachment-1.max.jpg" alt="Updated Test Image 1"'));
     assert(text2.includes('src="/uploads/attachments/attachment-2-attachment-2.max.jpg" alt="Updated Test Image 2"'));
   });
+
+  describe('image import allowlist (SSRF mitigation)', function () {
+    let originalConsoleError;
+
+    before(function () {
+      // The sanitize method intentionally console.errors thrown errors to
+      // surface stack traces during development; silence that noise during
+      // these negative tests.
+      // eslint-disable-next-line no-console
+      originalConsoleError = console.error;
+      // eslint-disable-next-line no-console
+      console.error = () => {};
+    });
+
+    after(function () {
+      // eslint-disable-next-line no-console
+      console.error = originalConsoleError;
+    });
+
+    it('allows rich text HTML import without `<img>` tags even with no allowlist configured', async function () {
+      apos = await t.create({
+        root: module,
+        modules: {}
+      });
+
+      const manager = apos.modules['@apostrophecms/rich-text-widget'];
+      const req = apos.task.getReq();
+
+      const output = await manager.sanitize(req, {
+        type: '@apostrophecms/rich-text',
+        content: '<p>seed</p>',
+        import: {
+          html: '<p>Hello <strong>world</strong></p>'
+        }
+      }, {});
+
+      assert.match(output.content, /Hello/);
+    });
+
+    it('rejects an image fetch for a hostname not in the allowlist and never calls fetch', async function () {
+      apos = await t.create({
+        root: module,
+        modules: {
+          '@apostrophecms/rich-text-widget': {
+            options: {
+              imageImportAllowedHostnames: [ 'images.example.com' ]
+            }
+          }
+        }
+      });
+
+      const manager = apos.modules['@apostrophecms/rich-text-widget'];
+      const req = apos.task.getReq();
+
+      const originalFetch = global.fetch;
+      let fetchCalled = false;
+      global.fetch = async () => {
+        fetchCalled = true;
+        throw new Error('fetch should not be called');
+      };
+
+      try {
+        await assert.rejects(
+          () => manager.sanitize(req, {
+            type: '@apostrophecms/rich-text',
+            content: '<p>seed</p>',
+            import: {
+              html: '<img src="http://127.0.0.1:7777/secret.png">',
+              baseUrl: 'http://127.0.0.1:7777'
+            }
+          }, {}),
+          (err) => {
+            assert.equal(err.name, 'forbidden');
+            assert.match(err.message, /127\.0\.0\.1/);
+            assert.match(err.message, /imageImportAllowedHostnames/);
+            return true;
+          }
+        );
+      } finally {
+        global.fetch = originalFetch;
+      }
+
+      assert.equal(fetchCalled, false);
+    });
+
+    it('rejects rich text HTML import for non-http(s) protocols even if hostname matches', async function () {
+      apos = await t.create({
+        root: module,
+        modules: {
+          '@apostrophecms/rich-text-widget': {
+            options: {
+              imageImportAllowedHostnames: [ 'localhost' ]
+            }
+          }
+        }
+      });
+
+      const manager = apos.modules['@apostrophecms/rich-text-widget'];
+      const req = apos.task.getReq();
+
+      await assert.rejects(
+        () => manager.sanitize(req, {
+          type: '@apostrophecms/rich-text',
+          content: '<p>seed</p>',
+          import: {
+            html: '<img src="file:///etc/passwd">',
+            baseUrl: 'file://localhost'
+          }
+        }, {}),
+        (err) => {
+          assert.equal(err.name, 'forbidden');
+          return true;
+        }
+      );
+    });
+
+    it('proceeds to fetch when import URL hostname is on the allowlist', async function () {
+      apos = await t.create({
+        root: module,
+        modules: {
+          '@apostrophecms/rich-text-widget': {
+            options: {
+              imageImportAllowedHostnames: [ 'images.example.com' ]
+            }
+          }
+        }
+      });
+
+      const manager = apos.modules['@apostrophecms/rich-text-widget'];
+      const req = apos.task.getReq();
+
+      const originalFetch = global.fetch;
+      const fetchedUrls = [];
+      // Throw a unique marker error from inside fetch. If the allowlist
+      // passes, the marker error propagates; if the allowlist rejects, we
+      // would see a `forbidden` error instead.
+      const marker = new Error('FETCH_REACHED');
+      marker.name = 'FetchReached';
+      global.fetch = async (url) => {
+        fetchedUrls.push(url.toString());
+        throw marker;
+      };
+
+      try {
+        await assert.rejects(
+          () => manager.sanitize(req, {
+            type: '@apostrophecms/rich-text',
+            content: '<p>seed</p>',
+            import: {
+              html: '<img src="https://images.example.com/foo.png">',
+              baseUrl: 'https://images.example.com'
+            }
+          }, {}),
+          (err) => err.name === 'FetchReached'
+        );
+      } finally {
+        global.fetch = originalFetch;
+      }
+
+      assert.deepEqual(fetchedUrls, [ 'https://images.example.com/foo.png' ]);
+    });
+
+    it('helper methods reflect option configuration', async function () {
+      apos = await t.create({
+        root: module,
+        modules: {
+          '@apostrophecms/rich-text-widget': {
+            options: {
+              imageImportAllowedHostnames: [ 'Images.Example.com', '', null, 'cdn.example.com' ]
+            }
+          }
+        }
+      });
+
+      const manager = apos.modules['@apostrophecms/rich-text-widget'];
+
+      assert.deepEqual(
+        manager.getImageImportAllowedHostnames(),
+        [ 'images.example.com', 'cdn.example.com' ]
+      );
+
+      const allowed = manager.getImageImportAllowedHostnames();
+      assert.equal(
+        manager.isImageImportHostnameAllowed(new URL('https://images.example.com/foo.png'), allowed),
+        true
+      );
+      assert.equal(
+        manager.isImageImportHostnameAllowed(new URL('https://IMAGES.example.com/foo.png'), allowed),
+        true
+      );
+      assert.equal(
+        manager.isImageImportHostnameAllowed(new URL('https://attacker.example.com/foo.png'), allowed),
+        false
+      );
+      assert.equal(
+        manager.isImageImportHostnameAllowed(new URL('file:///etc/passwd'), allowed),
+        false
+      );
+    });
+  });
 });

package/test/styles.js

@@ -1102,6 +1102,56 @@ describe('Styles', function () {
       );
     });
 
+    it('should fall back to field.def when the doc has no value', async function () {
+      const { renderGlobalStyles, renderScopedStyles } = await universal;
+
+      const schema = [
+        {
+          name: 'gap',
+          type: 'range',
+          selector: ':root',
+          property: '--apos-layout-gap',
+          unit: 'px',
+          def: 24
+        },
+        {
+          name: 'noDef',
+          type: 'range',
+          selector: ':root',
+          property: '--no-def',
+          unit: 'px'
+        }
+      ];
+
+      // Doc carries no `gap` value (e.g. field added after doc was
+      // created). The field's `def` is used.
+      const fromDef = renderGlobalStyles(schema, {});
+      assert.ok(
+        fromDef.css.includes('--apos-layout-gap: 24px'),
+        'renderGlobalStyles should emit field.def when doc value is absent'
+      );
+      assert.ok(
+        !fromDef.css.includes('--no-def'),
+        'fields without def should still be skipped'
+      );
+
+      // Saved value overrides def.
+      const fromDoc = renderGlobalStyles(schema, { gap: 12 });
+      assert.ok(
+        fromDoc.css.includes('--apos-layout-gap: 12px'),
+        'doc value should override field.def'
+      );
+
+      // Scoped renderer behaves the same way.
+      const scoped = renderScopedStyles(schema, {}, {
+        rootSelector: '#id'
+      });
+      assert.ok(
+        scoped.css.includes('--apos-layout-gap: 24px'),
+        'renderScopedStyles should emit field.def when doc value is absent'
+      );
+    });
+
     it('should include imageSizes in attachment getBrowserData', function () {
       const browserData = apos.attachment.getBrowserData(apos.task.getReq());
       assert.ok(

package/test-lib/util.js

@@ -1,27 +1,5 @@
 const { createId } = require('@paralleldrive/cuid2');
-
-const testDbProtocol = process.env.APOS_TEST_DB_PROTOCOL || 'mongodb';
-
-// Build a test database URI for postgres based on the shortName.
-// Returns undefined for mongodb, letting the default logic handle it.
-function getTestDbUri(shortName) {
-  if (testDbProtocol === 'postgres') {
-    // PostgreSQL database names cannot contain hyphens
-    const dbName = shortName.replace(/-/g, '_');
-    return `postgres://localhost:5432/${dbName}`;
-  }
-  if (testDbProtocol === 'multipostgres') {
-    // Multi-schema mode: shared real database, per-test schema
-    const schemaName = shortName.replace(/-/g, '_').replace(/[^a-zA-Z0-9_]/g, '');
-    return `multipostgres://localhost:5432/apos_test-${schemaName}`;
-  }
-  if (testDbProtocol === 'sqlite') {
-    const os = require('os');
-    const path = require('path');
-    const dbName = shortName.replace(/-/g, '_').replace(/[^a-zA-Z0-9_]/g, '');
-    return `sqlite://${path.join(os.tmpdir(), `apos_test_${dbName}.db`)}`;
-  }
-}
+const mongodbConnect = require('../lib/mongodb-connect');
 
 // Properly clean up an apostrophe instance and drop its
 // database collections to create a sane environment for the next test.
@@ -32,23 +10,23 @@ function getTestDbUri(shortName) {
 // If `apos` is null, no work is done.
 
 async function destroy(apos) {
-  if (!apos || apos._destroyed) {
+  if (!apos) {
     return;
   }
-  apos._destroyed = true;
-  const dbModule = apos.modules['@apostrophecms/db'];
-  const { uri } = dbModule;
-  const dbName = apos.db && (apos.db.databaseName || apos.db._name);
   await apos.destroy();
-  if (!uri || !dbName) {
-    return;
+  const { uri } = apos.modules['@apostrophecms/db'];
+  const dbName = apos.db && apos.db.databaseName;
+  // TODO at some point accommodate nonsense like testing remote databases
+  // that won't let us use dropDatabase, no shell available etc., but the
+  // important principle here is that we should not have to have an apos
+  // object to clean up the database, otherwise we have to get hold of one
+  // when initialization failed and that's really not apostrophe's concern
+  if (dbName && uri) {
+    const client = await mongodbConnect(`${uri}${dbName}`);
+    const db = client.db(dbName);
+    await db.dropDatabase();
+    await client.close();
   }
-  // Make a fresh connection (the original was closed by destroy)
-  // and use it to drop the test database
-  const client = await dbModule.connectToAdapter(uri);
-  const db = client.db(dbName);
-  await db.dropDatabase();
-  await client.close();
 };
 
 async function create(options = {}) {
@@ -77,18 +55,6 @@ async function create(options = {}) {
     express.options.session.secret = express.options.session.secret || 'test';
     config.modules['@apostrophecms/express'] = express;
   }
-  // When APOS_TEST_DB_PROTOCOL=postgres, automatically configure the db
-  // module to use a postgres URI unless already explicitly configured
-  const testUri = getTestDbUri(config.shortName);
-  if (testUri) {
-    config.modules = config.modules || {};
-    const dbModule = config.modules['@apostrophecms/db'] || {};
-    dbModule.options = dbModule.options || {};
-    if (!dbModule.options.uri && !dbModule.options.client) {
-      dbModule.options.uri = testUri;
-    }
-    config.modules['@apostrophecms/db'] = dbModule;
-  }
   return require('../index.js')(config);
 }
 
@@ -185,7 +151,5 @@ module.exports = {
   loginAs,
   logout,
   getUserJar,
-  getTestDbUri,
-  testDbProtocol,
   timeout: (process.env.TEST_TIMEOUT && parseInt(process.env.TEST_TIMEOUT)) || 20000
 };

package/claude-tools/detect-handles.js

@@ -1,46 +0,0 @@
-// Require this before running mocha to detect what activates process.stdin
-// Usage: npx mocha -t 10000 --require ./claude-tools/detect-handles.js test/assets.js
-
-console.log(`stdin paused at startup: ${process.stdin.isPaused()}`);
-console.log(`stdin readableFlowing at startup: ${process.stdin.readableFlowing}`);
-
-// Monkey-patch stdin.resume to capture the call stack
-const origResume = process.stdin.resume.bind(process.stdin);
-process.stdin.resume = function(...args) {
-  console.log('\n=== process.stdin.resume() called ===');
-  console.log(new Error().stack);
-  return origResume(...args);
-};
-
-// Monkey-patch stdin.on to detect 'data' listener additions
-const origOn = process.stdin.on.bind(process.stdin);
-process.stdin.on = function(event, ...args) {
-  if (event === 'data' || event === 'readable') {
-    console.log(`\n=== process.stdin.on('${event}') called ===`);
-    console.log(new Error().stack);
-  }
-  return origOn(event, ...args);
-};
-
-// Periodically check stdin state changes
-let lastState = process.stdin.readableFlowing;
-const checker = setInterval(() => {
-  if (process.stdin.readableFlowing !== lastState) {
-    console.log(`\n=== stdin readableFlowing changed: ${lastState} -> ${process.stdin.readableFlowing} ===`);
-    console.log(new Error().stack);
-    lastState = process.stdin.readableFlowing;
-  }
-}, 100);
-checker.unref();
-
-const origRun = require('mocha/lib/runner').prototype.run;
-require('mocha/lib/runner').prototype.run = function(fn) {
-  return origRun.call(this, function(failures) {
-    console.log(`\nstdin paused at end: ${process.stdin.isPaused()}`);
-    console.log(`stdin readableFlowing at end: ${process.stdin.readableFlowing}`);
-    setTimeout(() => {
-      process.exit(failures ? 3 : 0);
-    }, 2000);
-    if (fn) fn(failures);
-  });
-};

package/claude-tools/minimal-hang-test.js

@@ -1,28 +0,0 @@
-// Minimal test to isolate what causes the hang.
-// Must reference the test/ directory as root for proper module resolution.
-const t = require('../test-lib/test.js');
-const path = require('path');
-
-// Fake a module object rooted in test/ like the real tests do
-const fakeModule = {
-  id: path.join(__dirname, '../test/fake'),
-  filename: path.join(__dirname, '../test/fake.js'),
-  paths: [path.join(__dirname, '../test/node_modules')]
-};
-
-describe('Minimal hang test', function() {
-  this.timeout(60000);
-  let apos;
-
-  after(async function() {
-    await t.destroy(apos);
-    console.log('after: destroy complete');
-  });
-
-  it('should create and use apos without hanging', async function() {
-    apos = await t.create({
-      root: fakeModule
-    });
-    console.log('apos created successfully');
-  });
-});

package/claude-tools/mongo-close-test.js

@@ -1,11 +0,0 @@
-// Test whether a MongoDB connection keeps the process alive after close()
-const mongoConnect = require('../../../packages/db-connect/lib/mongodb-connect');
-
-(async () => {
-  const uri = 'mongodb://localhost:27017/test_handle_leak';
-  console.log('Connecting...');
-  const client = await mongoConnect(uri);
-  console.log('Connected. Closing...');
-  await client.close();
-  console.log('Closed. Process should exit now if no leaked handles.');
-})();

package/claude-tools/stdin-ref-test.js

@@ -1,14 +0,0 @@
-// Check if process.stdin keeps the process alive
-// If this script hangs, stdin is ref'd. If it exits, stdin is unref'd.
-
-console.log(`stdin isTTY: ${process.stdin.isTTY}`);
-console.log(`stdin readableFlowing: ${process.stdin.readableFlowing}`);
-console.log(`stdin isPaused: ${process.stdin.isPaused()}`);
-
-// Check ref status
-if (typeof process.stdin.unref === 'function') {
-  console.log('stdin has unref method');
-}
-
-console.log('Waiting to see if process exits on its own...');
-// Don't do anything - just see if the process exits