astro 5.16.2 → 5.16.4
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/actions/runtime/server.d.ts +5 -4
- package/dist/actions/runtime/server.js +0 -1
- package/dist/assets/fonts/definitions.d.ts +8 -3
- package/dist/assets/fonts/infra/build-remote-font-provider-mod-resolver.d.ts +3 -1
- package/dist/assets/fonts/infra/build-remote-font-provider-mod-resolver.js +5 -7
- package/dist/assets/fonts/infra/build-url-proxy-hash-resolver.d.ts +15 -5
- package/dist/assets/fonts/infra/build-url-proxy-hash-resolver.js +17 -10
- package/dist/assets/fonts/infra/build-url-resolver.d.ts +10 -5
- package/dist/assets/fonts/infra/build-url-resolver.js +33 -27
- package/dist/assets/fonts/infra/cached-font-fetcher.d.ts +11 -7
- package/dist/assets/fonts/infra/cached-font-fetcher.js +35 -29
- package/dist/assets/fonts/infra/capsize-font-metrics-resolver.d.ts +18 -5
- package/dist/assets/fonts/infra/capsize-font-metrics-resolver.js +45 -40
- package/dist/assets/fonts/infra/data-collector.d.ts +10 -3
- package/dist/assets/fonts/infra/data-collector.js +30 -16
- package/dist/assets/fonts/infra/dev-remote-font-provider-mod-resolver.d.ts +7 -3
- package/dist/assets/fonts/infra/dev-remote-font-provider-mod-resolver.js +11 -9
- package/dist/assets/fonts/infra/dev-url-proxy-hash-resolver.d.ts +15 -5
- package/dist/assets/fonts/infra/dev-url-proxy-hash-resolver.js +31 -22
- package/dist/assets/fonts/infra/dev-url-resolver.d.ts +9 -4
- package/dist/assets/fonts/infra/dev-url-resolver.js +24 -20
- package/dist/assets/fonts/infra/font-type-extractor.d.ts +4 -1
- package/dist/assets/fonts/infra/font-type-extractor.js +14 -16
- package/dist/assets/fonts/infra/fontace-font-file-reader.d.ts +10 -1
- package/dist/assets/fonts/infra/fontace-font-file-reader.js +18 -20
- package/dist/assets/fonts/infra/levenshtein-string-matcher.d.ts +4 -1
- package/dist/assets/fonts/infra/levenshtein-string-matcher.js +119 -121
- package/dist/assets/fonts/infra/local-url-proxy-content-resolver.d.ts +4 -0
- package/dist/assets/fonts/infra/local-url-proxy-content-resolver.js +14 -0
- package/dist/assets/fonts/infra/minifiable-css-renderer.d.ts +8 -3
- package/dist/assets/fonts/infra/minifiable-css-renderer.js +12 -10
- package/dist/assets/fonts/infra/remote-font-provider-resolver.d.ts +9 -4
- package/dist/assets/fonts/infra/remote-font-provider-resolver.js +42 -38
- package/dist/assets/fonts/infra/remote-url-proxy-content-resolver.d.ts +4 -0
- package/dist/assets/fonts/infra/remote-url-proxy-content-resolver.js +9 -0
- package/dist/assets/fonts/infra/require-local-provider-url-resolver.d.ts +8 -4
- package/dist/assets/fonts/infra/require-local-provider-url-resolver.js +17 -12
- package/dist/assets/fonts/infra/system-fallbacks-provider.d.ts +5 -10
- package/dist/assets/fonts/infra/system-fallbacks-provider.js +8 -11
- package/dist/assets/fonts/infra/unstorage-fs-storage.d.ts +11 -0
- package/dist/assets/fonts/infra/unstorage-fs-storage.js +26 -0
- package/dist/assets/fonts/infra/url-proxy.d.ts +16 -7
- package/dist/assets/fonts/infra/url-proxy.js +46 -27
- package/dist/assets/fonts/infra/xxhash-hasher.d.ts +6 -1
- package/dist/assets/fonts/infra/xxhash-hasher.js +13 -9
- package/dist/assets/fonts/orchestrate.d.ts +1 -2
- package/dist/assets/fonts/utils.d.ts +1 -2
- package/dist/assets/fonts/vite-plugin-fonts.js +43 -46
- package/dist/cli/infra/build-time-astro-version-provider.js +1 -1
- package/dist/content/content-layer.js +3 -3
- package/dist/core/app/index.js +8 -2
- package/dist/core/constants.js +1 -1
- package/dist/core/csp/runtime.d.ts +11 -0
- package/dist/core/csp/runtime.js +35 -0
- package/dist/core/dev/dev.js +1 -1
- package/dist/core/messages.js +2 -2
- package/dist/core/render-context.js +25 -5
- package/dist/core/util/pathname.d.ts +10 -0
- package/dist/core/util/pathname.js +17 -0
- package/dist/vite-plugin-astro-server/request.js +9 -2
- package/package.json +2 -2
- package/dist/assets/fonts/infra/fs-storage.d.ts +0 -4
- package/dist/assets/fonts/infra/fs-storage.js +0 -14
- package/dist/assets/fonts/infra/url-proxy-content-resolver.d.ts +0 -3
- package/dist/assets/fonts/infra/url-proxy-content-resolver.js +0 -23
|
@@ -0,0 +1,10 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* Validates that a pathname is not multi-level encoded.
|
|
3
|
+
* Detects if a pathname contains encoding that was encoded again (e.g., %2561dmin where %25 decodes to %).
|
|
4
|
+
* This prevents double/triple encoding bypasses of security checks.
|
|
5
|
+
*
|
|
6
|
+
* @param pathname - The pathname to validate
|
|
7
|
+
* @returns The decoded pathname if valid
|
|
8
|
+
* @throws Error if multi-level encoding is detected
|
|
9
|
+
*/
|
|
10
|
+
export declare function validateAndDecodePathname(pathname: string): string;
|
|
@@ -0,0 +1,17 @@
|
|
|
1
|
+
function validateAndDecodePathname(pathname) {
|
|
2
|
+
let decoded;
|
|
3
|
+
try {
|
|
4
|
+
decoded = decodeURI(pathname);
|
|
5
|
+
} catch (_e) {
|
|
6
|
+
throw new Error("Invalid URL encoding");
|
|
7
|
+
}
|
|
8
|
+
const hasDecoding = decoded !== pathname;
|
|
9
|
+
const decodedStillHasEncoding = /%[0-9a-fA-F]{2}/.test(decoded);
|
|
10
|
+
if (hasDecoding && decodedStillHasEncoding) {
|
|
11
|
+
throw new Error("Multi-level URL encoding is not allowed");
|
|
12
|
+
}
|
|
13
|
+
return decoded;
|
|
14
|
+
}
|
|
15
|
+
export {
|
|
16
|
+
validateAndDecodePathname
|
|
17
|
+
};
|
|
@@ -1,5 +1,6 @@
|
|
|
1
1
|
import { hasFileExtension } from "@astrojs/internal-helpers/path";
|
|
2
2
|
import { appendForwardSlash, removeTrailingForwardSlash } from "../core/path.js";
|
|
3
|
+
import { validateAndDecodePathname } from "../core/util/pathname.js";
|
|
3
4
|
import { runWithErrorHandling } from "./controller.js";
|
|
4
5
|
import { recordServerError } from "./error.js";
|
|
5
6
|
import { handle500Response } from "./response.js";
|
|
@@ -18,9 +19,15 @@ async function handleRequest({
|
|
|
18
19
|
if (config.trailingSlash === "never" && !incomingRequest.url) {
|
|
19
20
|
pathname = "";
|
|
20
21
|
} else {
|
|
21
|
-
|
|
22
|
+
try {
|
|
23
|
+
pathname = validateAndDecodePathname(url.pathname);
|
|
24
|
+
} catch {
|
|
25
|
+
incomingResponse.writeHead(404, { "Content-Type": "text/plain" });
|
|
26
|
+
incomingResponse.end("Not Found");
|
|
27
|
+
return;
|
|
28
|
+
}
|
|
22
29
|
}
|
|
23
|
-
url.pathname = removeTrailingForwardSlash(config.base) +
|
|
30
|
+
url.pathname = removeTrailingForwardSlash(config.base) + pathname;
|
|
24
31
|
if (config.trailingSlash === "never") {
|
|
25
32
|
url.pathname = removeTrailingForwardSlash(url.pathname);
|
|
26
33
|
} else if (config.trailingSlash === "always" && !hasFileExtension(url.pathname)) {
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "astro",
|
|
3
|
-
"version": "5.16.
|
|
3
|
+
"version": "5.16.4",
|
|
4
4
|
"description": "Astro is a modern site builder with web best practices, performance, and DX front-of-mind.",
|
|
5
5
|
"type": "module",
|
|
6
6
|
"author": "withastro",
|
|
@@ -154,8 +154,8 @@
|
|
|
154
154
|
"zod": "^3.25.76",
|
|
155
155
|
"zod-to-json-schema": "^3.25.0",
|
|
156
156
|
"zod-to-ts": "^1.2.0",
|
|
157
|
-
"@astrojs/markdown-remark": "6.3.9",
|
|
158
157
|
"@astrojs/internal-helpers": "0.7.5",
|
|
158
|
+
"@astrojs/markdown-remark": "6.3.9",
|
|
159
159
|
"@astrojs/telemetry": "3.3.0"
|
|
160
160
|
},
|
|
161
161
|
"optionalDependencies": {
|
|
@@ -1,14 +0,0 @@
|
|
|
1
|
-
import { fileURLToPath } from "node:url";
|
|
2
|
-
import { createStorage } from "unstorage";
|
|
3
|
-
import fsLiteDriver from "unstorage/drivers/fs-lite";
|
|
4
|
-
function createFsStorage({ base }) {
|
|
5
|
-
return createStorage({
|
|
6
|
-
// Types are weirly exported
|
|
7
|
-
driver: fsLiteDriver({
|
|
8
|
-
base: fileURLToPath(base)
|
|
9
|
-
})
|
|
10
|
-
});
|
|
11
|
-
}
|
|
12
|
-
export {
|
|
13
|
-
createFsStorage
|
|
14
|
-
};
|
|
@@ -1,23 +0,0 @@
|
|
|
1
|
-
import { readFileSync } from "node:fs";
|
|
2
|
-
import { AstroError, AstroErrorData } from "../../../core/errors/index.js";
|
|
3
|
-
function createLocalUrlProxyContentResolver() {
|
|
4
|
-
return {
|
|
5
|
-
resolve(url) {
|
|
6
|
-
try {
|
|
7
|
-
return url + readFileSync(url, "utf-8");
|
|
8
|
-
} catch (cause) {
|
|
9
|
-
throw new AstroError(AstroErrorData.UnknownFilesystemError, { cause });
|
|
10
|
-
}
|
|
11
|
-
}
|
|
12
|
-
};
|
|
13
|
-
}
|
|
14
|
-
function createRemoteUrlProxyContentResolver() {
|
|
15
|
-
return {
|
|
16
|
-
// Passthrough, the remote provider URL is enough
|
|
17
|
-
resolve: (url) => url
|
|
18
|
-
};
|
|
19
|
-
}
|
|
20
|
-
export {
|
|
21
|
-
createLocalUrlProxyContentResolver,
|
|
22
|
-
createRemoteUrlProxyContentResolver
|
|
23
|
-
};
|