boomack 0.13.1 → 0.13.3

package/client/public/css/main.css

@@ -199,11 +199,13 @@ header.home-header {
 .slot, .slot.ui.segment {
 	margin: 0;
 	padding: 0;
-	display: flex;
-	flex-direction: column;
 	overflow: hidden;
 	position: relative;
 }
+.layout-grid .slot {
+	display: flex;
+	flex-direction: column;
+}
 .slot.ui.segment.without-border {
 	border: none;
 	background: transparent;

package/client/views/parts/slot.ejs

@@ -49,11 +49,11 @@ function replaceThemePropsInStr(s) {
 		%><%= slot.zoom !== 1.0 && !contentScale ? ' zoom' : '' %><%
 	%>"
 	style="<%
-		if (!singled && panel.layout.grid) {
+		if (!singled && panel.layout.type === 'grid') {
 			%>grid-column: <%= slot.column + 1 %> / span <%= slot.columnSpan %>;<%
 			%>grid-row: <%= slot.row + 1 %> / span <%= slot.rowSpan %><%
 		}
-		if (panel.layout.document && commandSrc) {
+		if (panel.layout.type === 'document' && commandSrc) {
 			%>height: calc(100vh - 2em);<%
 		}
 		%>"
@@ -185,6 +185,9 @@ function replaceThemePropsInStr(s) {
 		if (slot.minHeight) {
 			%>min-height: <%= slot.minHeight %>;<%
 		}
+		if (slot.height) {
+			%>height: <%= slot.height %>;<%
+		}
 	%>">
 		<% if (slot.showId) { %><div class="slot-id"><%= slot.id %></div><% } %>
 	</div>
@@ -192,6 +195,9 @@ function replaceThemePropsInStr(s) {
 		if (slot.minHeight) {
 			%>min-height: <%= slot.minHeight %>;<%
 		}
+		if (slot.height) {
+			%>height: <%= slot.height %>;<%
+		}
 		if (commandBackground) {
 			%>background: <%= replaceThemePropsInStr(commandBackground) %>;<%
 		}
@@ -200,6 +206,12 @@ function replaceThemePropsInStr(s) {
 			if (!commandContent) {
 				%>display:none;<%
 			}
+			if (slot.height) {
+				%>height: <%= slot.height %>;<%
+			}
+			if (slot.maxHeight) {
+				%>max-height:<%= slot.maxHeight %>;overflow-y:scroll;<%
+			}
 			if (slot.colorFilter) {
 				if (_.isString(slot.colorFilter) && slot.colorFilter !== 'theme') {
 					%>filter: <%= slot.colorFilter %>;<%

package/default-config.yaml

@@ -177,6 +177,11 @@ api:
     yaml: true
     # The size limit for API requests in JSON or YAML
     maxBodySize: 16 MB
+    # A list with allowed root paths for file URLs in display requests.
+    # Allows displaying files directly from the filesystem of the server.
+    # Empty by default for security reasons.
+    # Examples: /home/me/media, or C:\\Users\\Me\\Pictures
+    fileSrcRoots: []
 
 cache:
   # Control how cached resources are handled

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "boomack",
-  "version": "0.13.1",
+  "version": "0.13.3",
   "description": "web app for displaying hyper-media items in concert with e.g. an IDE",
   "author": "Tobias Kiertscher <dev@mastersign.de>",
   "license": "MIT",

package/server-build/index.js

@@ -140,6 +140,11 @@ function showConfiguration(cb) {
     _.forEach(cfg.get('init.actions'), (a, aId) => {
         txt += `\n    ${aId} (${a.type})`;
     });
+    const fileSrcRoots = cfg.get('api.request.fileSrcRoots');
+    txt += `\nFile Source Roots: ${_.size(fileSrcRoots)}`;
+    _.forEach(fileSrcRoots, r => {
+        txt += `\n    ${utils.normalizePath(r)}`;
+    });
     log.verbose('Configuration: \n' + txt);
     cb(null);
 }
@@ -189,6 +194,7 @@ function loadPlugIns(cb) {
     const explicitPkgNames = new Set(cfg.get('plugins.packages', []));
     let success = true;
     for (const name of explicitPkgNames) {
+        log.verbose(`Loading explicit plugin '${name}'...`);
         success && (success = loadPlugIn(pluginRoot, name));
     }
     if (discover) {
@@ -201,6 +207,7 @@ function loadPlugIns(cb) {
             log.error(`Discovering plugins failed with: ${err}`);
         }
         for (const name of discoveredPkgNames) {
+            log.verbose(`Loading discovered plugin '${name}'...`);
             success && (success = loadPlugIn(pluginRoot, name));
         }
     }

package/server-build/model/display-request.js

@@ -2,9 +2,12 @@
 /**
  * @module
  */
+const { fileURLToPath } = require('url');
+const path = require('path');
 const _ = require('lodash');
 const mimeType = require('../service/mime-type');
 const utils = require('../utils');
+const cfg = require('../service/config');
 const presets = require('../service/presets');
 const typeMappings = require('../service/media-types');
 const displayRequestDefaults = {
@@ -53,13 +56,26 @@ function sanitizeOptions(options) {
     options.requires = utils.enforceArrayOf(options.requires, utils.enforceString);
     return options;
 }
+function isValidFileSource(filename) {
+    if (!path.isAbsolute(filename))
+        return false;
+    filename = utils.normalizePath(filename);
+    return _.some(cfg.get('api.request.fileSrcRoots'), root => filename.startsWith(utils.normalizePath(root, true)));
+}
 function isValidSourceUrl(src) {
     if (!_.isString(src))
         return false;
-    if (!src.match(/^(https?|file):\/\//))
+    const isHttpUrl = src.startsWith('http://') || src.startsWith('https://');
+    const isFileUrl = src.startsWith('file://');
+    if (!isHttpUrl && !isFileUrl)
+        return false;
+    if (isFileUrl && _.isEmpty(cfg.get('api.request.fileSrcRoots')))
         return false;
     try {
-        new URL(src);
+        const uri = new URL(src);
+        if (isFileUrl && !isValidFileSource(fileURLToPath(uri))) {
+            return false;
+        }
     }
     catch (err) {
         return false;

package/server-build/model/display-request.test.js

@@ -4,6 +4,10 @@
 const expect = require('chai').expect;
 const mimeType = require('../service/mime-type');
 const displayRequest = require('./display-request');
+const cfg = require('../service/config');
+beforeEach(function () {
+    cfg.reset();
+});
 describe('model/display-request', function () {
     describe('sanitize', function () {
         it('should return an error, if no content is given', function (done) {
@@ -65,9 +69,41 @@ describe('model/display-request', function () {
                 done();
             });
         });
-        it('should return a sanitized request, if only src is given', function (done) {
+        it('should return a sanitized request, if only http src is given', function (done) {
+            displayRequest.sanitize({
+                src: 'http://localhost/demo.html',
+            }, (err, x) => {
+                expect(err).to.be.null;
+                expect(x).to.be.an('object');
+                expect(x).to.deep.equal({
+                    panel: 'default',
+                    slot: null,
+                    title: null,
+                    type: null,
+                    text: null,
+                    data: null,
+                    stream: null,
+                    src: 'http://localhost/demo.html',
+                    options: {
+                        debug: false,
+                        transformation: null,
+                        syntax: null,
+                        renderer: null,
+                        iframe: null,
+                        cache: 'auto',
+                        extend: 'no',
+                        scale: 'auto',
+                        requires: [],
+                    },
+                });
+                done();
+            });
+        });
+        it('should return a sanitized request, if only file src is given', function (done) {
+            const prefix = process.platform === 'win32' ? 'C:\\Users\\Me' : '/home/me';
+            cfg.set('api.request.fileSrcRoots', [prefix]);
             displayRequest.sanitize({
-                src: 'file:///user/me/demo.html',
+                src: `file://${prefix}/demo.html`,
             }, (err, x) => {
                 expect(err).to.be.null;
                 expect(x).to.be.an('object');
@@ -79,7 +115,7 @@ describe('model/display-request', function () {
                     text: null,
                     data: null,
                     stream: null,
-                    src: 'file:///user/me/demo.html',
+                    src: `file://${prefix}/demo.html`,
                     options: {
                         debug: false,
                         transformation: null,
@@ -95,6 +131,28 @@ describe('model/display-request', function () {
                 done();
             });
         });
+        it('should return an error, if disallowed file src is given', function (done) {
+            const prefix1 = process.platform === 'win32' ? 'C:\\Users\\Me' : '/home/me';
+            const prefix2 = process.platform === 'win32' ? 'C:\\Windows' : '/etc';
+            cfg.set('api.request.fileSrcRoots', [prefix1]);
+            displayRequest.sanitize({
+                src: `file://${prefix2}/secret.txt`,
+            }, (err, x) => {
+                expect(err).to.exist;
+                expect(x).to.be.undefined;
+                done();
+            });
+        });
+        it('should return an error, if relative file src is given', function (done) {
+            cfg.set('api.request.fileSrcRoots', ['/relative']);
+            displayRequest.sanitize({
+                src: 'file://relative/demo.html',
+            }, (err, x) => {
+                expect(err).to.exist;
+                expect(x).to.be.undefined;
+                done();
+            });
+        });
         it('should sanitize request', function (done) {
             displayRequest.sanitize({
                 unknown: 'unknown',

package/server-build/model/layout.js

@@ -29,6 +29,8 @@ const gridSlotDefaults = _.defaults({
 }, slotDefaults);
 const documentSlotDefaults = _.defaults({
     minHeight: '0',
+    height: null,
+    maxHeight: null,
 }, slotDefaults);
 const slotTemplateDefaults = {
     history: 0,
@@ -43,6 +45,8 @@ const slotTemplateDefaults = {
     border: true,
     zoom: 1.0,
     minHeight: '0',
+    height: null,
+    maxHeight: null,
 };
 const gridLayoutDefaults = {
     columns: 1,

package/server-build/model/layout.test.js

@@ -105,6 +105,8 @@ describe('model/layout', function () {
                             border: true,
                             zoom: 1.0,
                             minHeight: '0',
+                            height: null,
+                            maxHeight: null,
                         },
                         autoSlots: 0,
                         nextIndex: 1,
@@ -228,6 +230,8 @@ describe('model/layout', function () {
                         noMaximize: true,
                         zoom: 1.25,
                         minHeight: '20px',
+                        height: '200px',
+                        maxHeight: '50vh',
                     },
                     autoSlots: 0,
                     nextIndex: 1,
@@ -250,6 +254,8 @@ describe('model/layout', function () {
                         zoom: 1.5,
                         colorFilter: 'saturate(130%)',
                         minHeight: '25vh',
+                        height: '20rem',
+                        maxHeight: '100vh',
                     },
                     stash: {
                         id: 'stash',
@@ -270,7 +276,9 @@ describe('model/layout', function () {
                             0.0, -1.0, 0.0, 1.0,
                             0.0, 0.0, 1.0, 0.0,
                         ],
-                        minHeight: '10em',
+                        minHeight: '2rem',
+                        height: '5em',
+                        maxHeight: '100px',
                     },
                 },
                 title: 'Panel Title',

package/server-build/pipeline.js

@@ -66,7 +66,7 @@ function applyDisplayRequestDefaults(displayRequest, cb) {
     if (!r.slot) {
         r.slot = defaultSlotForPanel(r.panel);
     }
-    if (!r.slot) {
+    if (panel.layout.type !== 'document' && !r.slot) {
         cb(error("Slot not found"));
         return;
     }

package/server-build/routes/display-requests.js

@@ -170,19 +170,17 @@ exports.setup = function (app, io) {
                 return null;
             }
         }
-        let data;
         try {
             if (cfg.getBoolean('api.request.yaml')) {
-                data = YAML.parse(s, { schema: 'yaml-1.1' });
+                return YAML.parse(s, { schema: 'yaml-1.1' });
             }
             else {
-                data = JSON.parse(s);
+                return JSON.parse(s);
             }
         }
         catch (e) {
             return null;
         }
-        return _.isArray(data) ? data : [data];
     }
     function titleFromHttpHeader(req) {
         const titleHeader = req.get('X-Boomack-Title');
@@ -191,16 +189,12 @@ exports.setup = function (app, io) {
             null;
     }
     function optionsFromHttpHeader(req) {
-        let result = [];
-        const presetHeader = req.get('X-Boomack-Presets');
-        const presets = decodePresets(presetHeader);
-        if (presets)
-            result = presets;
         const optionsHeader = req.get('X-Boomack-Options');
-        const options = decodeOptions(optionsHeader);
-        if (options)
-            result = result.concat(options);
-        return result;
+        return decodeOptions(optionsHeader);
+    }
+    function presetsFromHttpHeader(req) {
+        const presetHeader = req.get('X-Boomack-Presets');
+        return decodePresets(presetHeader);
     }
     function handleStreamingDisplayRequest(req, res, panelId, slotId) {
         const type = req.get('Content-Type');
@@ -213,6 +207,7 @@ exports.setup = function (app, io) {
             return;
         }
         const title = titleFromHttpHeader(req);
+        const presets = presetsFromHttpHeader(req);
         const options = optionsFromHttpHeader(req);
         const displayRequest = {
             panel: panelId,
@@ -222,6 +217,8 @@ exports.setup = function (app, io) {
         };
         if (title)
             displayRequest.title = title;
+        if (presets)
+            displayRequest.presets = presets;
         if (options)
             displayRequest.options = options;
         handleDisplayRequest([displayRequest], req.authorization, res);
@@ -236,8 +233,7 @@ exports.setup = function (app, io) {
                 message: `The target panel "${panelId}" does not exist.`,
             });
         }
-        const slotId = panel.layout.defaultSlot;
-        handleStreamingDisplayRequest(req, res, panelId, slotId);
+        handleStreamingDisplayRequest(req, res, panelId, null);
     });
     app.post('/v1/panels/:panelId/slots/:slotId/display', apiAuth('content.display'), (req, res) => {
         const panelId = req.params.panelId;
@@ -252,7 +248,7 @@ exports.setup = function (app, io) {
         }
         const slotId = req.params.slotId;
         const slot = panel.layout.slots[slotId];
-        if (!slot) {
+        if (panel.layout.type != 'document' && !slot) {
             error(res, {
                 status: 404,
                 title: 'Target Not Found',

package/server-build/service/panels.js

@@ -203,7 +203,7 @@ exports.pushDisplayCommand = function (displayCommand, cb) {
         return;
     }
     const slotId = displayCommand.slot;
-    if (!panel.content.has(slotId)) {
+    if (panel.layout.type !== 'document' && !panel.content.has(slotId)) {
         cb(new BadRequestError(`Panel '${panelId}' has no slot '${slotId}'`));
         return;
     }

package/server-build/typedefs.js

@@ -98,6 +98,8 @@
  *
  * @typedef {Slot} DocumentSlot
  * @property {string} minHeight - The CSS length for the minimal height of the slot.
+ * @property {string} height - The CSS length for the height of the slot.
+ * @property {string} maxHeight - The CSS length for the maximal height of the slot.
  */
 /**
  * The structure to describe a general panel layout.

package/server-build/utils.js

@@ -2,6 +2,7 @@
 /**
  * @module
  */
+const path = require('path');
 const zlib = require('zlib');
 const _ = require('lodash');
 exports.escapeRegEx = s => {
@@ -245,6 +246,23 @@ exports.isHttpUrl = function (urlStr) {
     }
     return srcUrl.protocol == 'http:' || srcUrl.protocol == 'https:';
 };
+/**
+ * Normalize a filesystem path.
+ *
+ * @param {string} filename An absolute path of a file or directory
+ * @param {boolean|null} forceTrailingSlash Assures a trailing slash on the end of the path
+ * @returns {string} The normalized path
+ */
+exports.normalizePath = function (filename, forceTrailingSlash) {
+    filename = path.normalize(filename);
+    if (process.platform === 'win32') {
+        filename = filename.toLowerCase();
+    }
+    if (forceTrailingSlash && !filename.endsWith(path.sep)) {
+        filename = filename + path.sep;
+    }
+    return filename;
+};
 const dataAmountPattern = /^([+-]?(?:0|[1-9][\d,]*))\s*(?:([KMG])[B]?)?$/i;
 /**
  * Parse data amount values from string to number.