emdash 0.6.0 → 0.7.0

package/src/auth/trusted-proxy.ts

@@ -0,0 +1,92 @@
+/**
+ * Resolve the list of client-IP headers the operator trusts.
+ *
+ * Resolution order:
+ *   1. `config.trustedProxyHeaders` — explicit opt-in via astro.config.mjs.
+ *      An empty array is respected (means "trust nothing, ignore env").
+ *   2. `EMDASH_TRUSTED_PROXY_HEADERS` env var — comma-separated header names.
+ *   3. `[]` — default, no trusted headers.
+ *
+ * Operators must only set this when they control the reverse proxy.
+ * Untrusted clients can set any header they like; trusting headers from
+ * an open network defeats rate limiting.
+ *
+ * Header names are returned lowercased because HTTP header lookups are
+ * case-insensitive.
+ */
+
+import type { EmDashConfig } from "../astro/integration/runtime.js";
+
+/**
+ * RFC 7230 token — valid characters for an HTTP header name. Invalid names
+ * passed to `Headers.get()` throw a TypeError at runtime, which would
+ * otherwise surface as a 500 from every auth route.
+ */
+const HEADER_NAME_PATTERN = /^[!#$%&'*+\-.^_`|~0-9a-z]+$/;
+
+/**
+ * Normalise a list of header names the way both the config path and any
+ * caller passing a pre-resolved list should do: trim, lowercase, drop
+ * empty, drop anything that isn't a valid RFC 7230 token. Invalid names
+ * would crash `Headers.get()` at runtime.
+ */
+export function normalizeTrustedHeaders(names: readonly string[]): string[] {
+	return names
+		.map((h) => h.trim().toLowerCase())
+		.filter((h) => h.length > 0 && HEADER_NAME_PATTERN.test(h));
+}
+
+function isValidHeaderName(name: string): boolean {
+	return HEADER_NAME_PATTERN.test(name);
+}
+
+/** Cache for the env-derived value. `null` means "not yet parsed". */
+let _envCache: string[] | null = null;
+
+/** Test-only: clear the env cache so a fresh value is read on next call. */
+export function _resetTrustedProxyHeadersCache(): void {
+	_envCache = null;
+}
+
+function getEnvTrustedHeaders(): string[] {
+	if (_envCache !== null) return _envCache;
+	let raw: string | undefined;
+	try {
+		// Prefer process.env so SSR/container deployments can override this
+		// value at runtime (Vite/Astro inline import.meta.env at build time,
+		// which locks the value into the bundle). Fall back to import.meta.env
+		// for bundler-managed environments where process.env isn't populated.
+		// eslint-disable-next-line typescript-eslint(no-unsafe-type-assertion) -- import.meta.env shape varies by bundler
+		const importMetaEnv = (import.meta as unknown as { env?: Record<string, string | undefined> })
+			.env;
+		raw =
+			(typeof process !== "undefined" ? process.env?.EMDASH_TRUSTED_PROXY_HEADERS : undefined) ||
+			importMetaEnv?.EMDASH_TRUSTED_PROXY_HEADERS;
+	} catch {
+		raw = undefined;
+	}
+	if (!raw) {
+		_envCache = [];
+		return _envCache;
+	}
+	_envCache = raw
+		.split(",")
+		.map((s) => s.trim().toLowerCase())
+		.filter((s) => s.length > 0 && isValidHeaderName(s));
+	return _envCache;
+}
+
+/**
+ * Return the lowercased list of headers to trust for client-IP resolution.
+ *
+ * When `config?.trustedProxyHeaders` is explicitly set (even to `[]`), it
+ * wins. Otherwise fall through to the env var, then to `[]`.
+ */
+export function getTrustedProxyHeaders(config: EmDashConfig | null | undefined): string[] {
+	if (config && config.trustedProxyHeaders !== undefined) {
+		return config.trustedProxyHeaders
+			.map((h) => h.trim().toLowerCase())
+			.filter((h) => h.length > 0 && isValidHeaderName(h));
+	}
+	return getEnvTrustedHeaders();
+}

package/src/database/migrations/035_bounded_404_log.ts

@@ -0,0 +1,112 @@
+import type { Kysely } from "kysely";
+import { sql } from "kysely";
+
+/**
+ * Migration: Bounded 404 logging
+ *
+ * Hardens `_emdash_404_log` against unauthenticated DoS. Previously every 404
+ * inserted a new row, so an attacker could grow the table without bound.
+ *
+ * Changes:
+ *   - Adds `hits` (default 1, NOT NULL)
+ *   - Adds `last_seen_at` (nullable; SQLite can't add NOT NULL with a
+ *     non-constant default to a populated table, so the column is nullable
+ *     at the schema level and backfilled from `created_at` for existing rows;
+ *     new inserts via `log404` always set it)
+ *   - Deduplicates existing rows by path, keeping the most recent row per
+ *     path and summing hits
+ *   - Adds a UNIQUE index on `path` so upsert semantics work
+ */
+
+export async function up(db: Kysely<unknown>): Promise<void> {
+	// 1. Add columns.
+	await db.schema
+		.alterTable("_emdash_404_log")
+		.addColumn("hits", "integer", (col) => col.notNull().defaultTo(1))
+		.execute();
+
+	// SQLite won't accept a non-constant default when adding a NOT NULL column
+	// to a table with existing rows, so backfill in two steps: add nullable,
+	// populate, then rely on the application layer / future inserts to set it.
+	await db.schema.alterTable("_emdash_404_log").addColumn("last_seen_at", "text").execute();
+
+	// Backfill last_seen_at from created_at for existing rows.
+	await sql`
+		UPDATE _emdash_404_log
+		SET last_seen_at = created_at
+		WHERE last_seen_at IS NULL
+	`.execute(db);
+
+	// 2. Deduplicate existing rows by path.
+	//    For each path, roll up hits and pick the freshest last_seen_at onto
+	//    a single keeper row, then delete the non-keepers. Uses window
+	//    functions (ROW_NUMBER) so the dedup SQL is valid on both SQLite
+	//    (3.25+, 2018) and Postgres. The previous GROUP BY approach was
+	//    accepted by SQLite but invalid on Postgres because `id` wasn't in
+	//    the GROUP BY or wrapped in an aggregate.
+	await sql`
+		WITH ranked AS (
+			SELECT
+				id,
+				path,
+				ROW_NUMBER() OVER (
+					PARTITION BY path
+					ORDER BY created_at DESC, id DESC
+				) AS rn,
+				COUNT(*) OVER (PARTITION BY path) AS path_count,
+				MAX(created_at) OVER (PARTITION BY path) AS latest_created_at
+			FROM _emdash_404_log
+		)
+		UPDATE _emdash_404_log
+		SET
+			hits = (SELECT path_count FROM ranked WHERE ranked.id = _emdash_404_log.id),
+			last_seen_at = (SELECT latest_created_at FROM ranked WHERE ranked.id = _emdash_404_log.id)
+		WHERE id IN (SELECT id FROM ranked WHERE rn = 1)
+	`.execute(db);
+
+	// Delete the non-keepers (every row except the freshest per path).
+	await sql`
+		DELETE FROM _emdash_404_log
+		WHERE id IN (
+			SELECT id FROM (
+				SELECT
+					id,
+					ROW_NUMBER() OVER (
+						PARTITION BY path
+						ORDER BY created_at DESC, id DESC
+					) AS rn
+				FROM _emdash_404_log
+			) AS ranked
+			WHERE rn > 1
+		)
+	`.execute(db);
+
+	// 3. Add unique index on path for upsert semantics.
+	await db.schema
+		.createIndex("idx_404_log_path_unique")
+		.on("_emdash_404_log")
+		.column("path")
+		.unique()
+		.execute();
+
+	// Drop the old non-unique index; the unique one covers the same lookups.
+	await db.schema.dropIndex("idx_404_log_path").execute();
+
+	// 4. Index on last_seen_at for eviction ordering.
+	await db.schema
+		.createIndex("idx_404_log_last_seen")
+		.on("_emdash_404_log")
+		.column("last_seen_at")
+		.execute();
+}
+
+export async function down(db: Kysely<unknown>): Promise<void> {
+	await db.schema.dropIndex("idx_404_log_last_seen").execute();
+	await db.schema.dropIndex("idx_404_log_path_unique").execute();
+
+	// Restore the original non-unique path index.
+	await db.schema.createIndex("idx_404_log_path").on("_emdash_404_log").column("path").execute();
+
+	await db.schema.alterTable("_emdash_404_log").dropColumn("last_seen_at").execute();
+	await db.schema.alterTable("_emdash_404_log").dropColumn("hits").execute();
+}

package/src/database/migrations/runner.ts

@@ -35,6 +35,7 @@ import * as m031 from "./031_bylines.js";
 import * as m032 from "./032_rate_limits.js";
 import * as m033 from "./033_optimize_content_indexes.js";
 import * as m034 from "./034_published_at_index.js";
+import * as m035 from "./035_bounded_404_log.js";
 
 const MIGRATIONS: Readonly<Record<string, Migration>> = Object.freeze({
 	"001_initial": m001,
@@ -70,6 +71,7 @@ const MIGRATIONS: Readonly<Record<string, Migration>> = Object.freeze({
 	"032_rate_limits": m032,
 	"033_optimize_content_indexes": m033,
 	"034_published_at_index": m034,
+	"035_bounded_404_log": m035,
 });
 
 /** Total number of registered migrations. Exported for use in tests. */

package/src/database/repositories/content.ts

@@ -1031,6 +1031,45 @@ export class ContentRepository {
 		return updated;
 	}
 
+	/**
+	 * Set the draft revision pointer for a content item.
+	 *
+	 * Used by seed/import paths that stage a new revision's data before
+	 * promoting it to live via `publish()`.
+	 *
+	 * Validates that the content item exists and is not soft-deleted, that
+	 * the revision exists, and that the revision belongs to the same
+	 * collection and entry. Without these checks, a caller could leave the
+	 * content row pointing at a missing or unrelated revision.
+	 */
+	async setDraftRevision(type: string, id: string, revisionId: string): Promise<void> {
+		const tableName = getTableName(type);
+		const now = new Date().toISOString();
+
+		const existing = await this.findById(type, id);
+		if (!existing) {
+			throw new EmDashValidationError("Content item not found");
+		}
+
+		const revisionRepo = new RevisionRepository(this.db);
+		const revision = await revisionRepo.findById(revisionId);
+		if (!revision) {
+			throw new EmDashValidationError("Revision not found");
+		}
+
+		if (revision.collection !== type || revision.entryId !== id) {
+			throw new EmDashValidationError("Revision does not belong to the specified content item");
+		}
+
+		await sql`
+			UPDATE ${sql.ref(tableName)}
+			SET draft_revision_id = ${revisionId},
+				updated_at = ${now}
+			WHERE id = ${id}
+			AND deleted_at IS NULL
+		`.execute(this.db);
+	}
+
 	/**
 	 * Discard pending draft changes
 	 *

package/src/database/repositories/options.ts

@@ -55,6 +55,31 @@ export class OptionsRepository {
 			.execute();
 	}
 
+	/**
+	 * Set an option value only if no row with that name exists. Atomic at the
+	 * database level via INSERT ... ON CONFLICT DO NOTHING, so concurrent
+	 * callers can't race past the check.
+	 *
+	 * Returns true when the row was inserted, false when a row already
+	 * existed (regardless of its value — even an empty string or null).
+	 */
+	async setIfAbsent<T = unknown>(name: string, value: T): Promise<boolean> {
+		const row: OptionTable = {
+			name,
+			value: JSON.stringify(value),
+		};
+
+		const result = await this.db
+			.insertInto("options")
+			.values(row)
+			.onConflict((oc) => oc.column("name").doNothing())
+			.executeTakeFirst();
+
+		// SQLite reports numInsertedOrUpdatedRows; Postgres reports the same.
+		// When the ON CONFLICT branch fires and does nothing, the count is 0.
+		return (result.numInsertedOrUpdatedRows ?? 0n) > 0n;
+	}
+
 	/**
 	 * Delete an option
 	 */

package/src/database/repositories/redirect.ts

@@ -11,6 +11,32 @@ import { currentTimestampValue } from "../dialect-helpers.js";
 import type { Database, RedirectTable } from "../types.js";
 import { encodeCursor, decodeCursor, type FindManyResult } from "./types.js";
 
+// ---------------------------------------------------------------------------
+// Bounded 404 logging
+// ---------------------------------------------------------------------------
+
+/**
+ * Hard cap on rows stored in `_emdash_404_log`. When exceeded, the oldest
+ * rows (by `last_seen_at`) are evicted on insert. Prevents an unauthenticated
+ * attacker from growing the table without bound by requesting unique URLs.
+ */
+export const MAX_404_LOG_ROWS = 10_000;
+
+/** Max stored length for the `Referer` header — truncated on insert. */
+export const REFERRER_MAX_LENGTH = 512;
+
+/** Max stored length for the `User-Agent` header — truncated on insert. */
+export const USER_AGENT_MAX_LENGTH = 256;
+
+/**
+ * Truncate a header-derived string to `max` chars, preserving `null`/`undefined`
+ * as `null`. Empty strings stay empty (the caller decides whether to coerce).
+ */
+function truncateOrNull(value: string | null | undefined, max: number): string | null {
+	if (value === null || value === undefined) return null;
+	return value.length > max ? value.slice(0, max) : value;
+}
+
 // ---------------------------------------------------------------------------
 // Types
 // ---------------------------------------------------------------------------
@@ -369,22 +395,97 @@ export class RedirectRepository {
 
 	// --- 404 log ------------------------------------------------------------
 
+	/**
+	 * Record a 404 hit for `entry.path`.
+	 *
+	 * Dedups by path: repeat hits increment `hits` and refresh `last_seen_at`
+	 * on the existing row instead of inserting a new one. Referrer and
+	 * user-agent are truncated to bounded lengths so a malicious client can't
+	 * blow up storage with huge headers. When the table would exceed
+	 * MAX_404_LOG_ROWS, the oldest entries (by `last_seen_at`) are evicted.
+	 *
+	 * This is called from the public redirect middleware on every 404 and
+	 * must never throw for an unauthenticated caller — failures bubble up to
+	 * the middleware, which swallows them.
+	 */
 	async log404(entry: {
 		path: string;
 		referrer?: string | null;
 		userAgent?: string | null;
 		ip?: string | null;
 	}): Promise<void> {
+		const now = new Date().toISOString();
+		const referrer = truncateOrNull(entry.referrer, REFERRER_MAX_LENGTH);
+		const userAgent = truncateOrNull(entry.userAgent, USER_AGENT_MAX_LENGTH);
+		const ip = entry.ip ?? null;
+
+		// Atomic upsert by path. The UNIQUE index on `path` makes this safe
+		// under concurrency: two requests for the same new path can't both
+		// insert — the second one hits the conflict branch and increments
+		// hits instead of failing with a uniqueness error.
 		await this.db
 			.insertInto("_emdash_404_log")
 			.values({
 				id: ulid(),
 				path: entry.path,
-				referrer: entry.referrer ?? null,
-				user_agent: entry.userAgent ?? null,
-				ip: entry.ip ?? null,
-				created_at: new Date().toISOString(),
+				referrer,
+				user_agent: userAgent,
+				ip,
+				hits: 1,
+				last_seen_at: now,
+				created_at: now,
 			})
+			.onConflict((oc) =>
+				oc.column("path").doUpdateSet({
+					hits: sql`hits + 1`,
+					last_seen_at: now,
+					referrer,
+					user_agent: userAgent,
+					ip,
+				}),
+			)
+			.execute();
+
+		// Enforce the row cap. Cheap when the table is under cap (single
+		// COUNT(*) query); evicts oldest rows if we're over. Updates (dedup
+		// hits) don't grow the table so this is a no-op for repeat paths.
+		await this.enforce404Cap();
+	}
+
+	/**
+	 * Delete the oldest rows from `_emdash_404_log` if the row count exceeds
+	 * MAX_404_LOG_ROWS. "Oldest" is by `last_seen_at`, so a path that keeps
+	 * getting hit stays in the table even if it was first seen long ago.
+	 *
+	 * Private — callers use `log404`, which invokes this after every upsert.
+	 */
+	private async enforce404Cap(): Promise<void> {
+		const countRow = await this.db
+			.selectFrom("_emdash_404_log")
+			.select((eb) => eb.fn.countAll<number>().as("c"))
+			.executeTakeFirst();
+		const count = Number(countRow?.c ?? 0);
+		if (count <= MAX_404_LOG_ROWS) return;
+
+		const excess = count - MAX_404_LOG_ROWS;
+
+		// Evict the oldest rows in a single SQL statement. Using a subquery
+		// (rather than materialising the victim IDs in JS and passing them
+		// back as bind parameters) keeps the statement bounded regardless of
+		// how far over cap the table is — important for existing installs
+		// that crossed the threshold before this cap was introduced.
+		await this.db
+			.deleteFrom("_emdash_404_log")
+			.where(
+				"id",
+				"in",
+				this.db
+					.selectFrom("_emdash_404_log")
+					.select("id")
+					.orderBy("last_seen_at", "asc")
+					.orderBy("id", "asc")
+					.limit(excess),
+			)
 			.execute();
 	}
 
@@ -438,6 +539,10 @@ export class RedirectRepository {
 	}
 
 	async get404Summary(limit = 50): Promise<NotFoundSummary[]> {
+		// Since rows are now deduped by path, each path has exactly one row
+		// with `hits` as the running count and `last_seen_at` as the latest
+		// timestamp. The subquery for `top_referrer` collapses to a simple
+		// pick of the row's stored referrer (the most recent one seen).
 		const rows = await sql<{
 			path: string;
 			count: number;
@@ -446,14 +551,12 @@ export class RedirectRepository {
 		}>`
 			SELECT
 				path,
-				COUNT(*) as count,
-				MAX(created_at) as last_seen,
+				SUM(hits) as count,
+				MAX(last_seen_at) as last_seen,
 				(
 					SELECT referrer FROM _emdash_404_log AS inner_log
 					WHERE inner_log.path = _emdash_404_log.path
 						AND referrer IS NOT NULL AND referrer != ''
-					GROUP BY referrer
-					ORDER BY COUNT(*) DESC
 					LIMIT 1
 				) as top_referrer
 			FROM _emdash_404_log

package/src/database/types.ts

@@ -466,6 +466,15 @@ export interface NotFoundLogTable {
 	referrer: string | null;
 	user_agent: string | null;
 	ip: string | null;
+	hits: number;
+	/**
+	 * Migration 035 adds this as a nullable column (SQLite can't add a
+	 * NOT NULL column with a non-constant default to an existing table).
+	 * The `log404` upsert always writes a value, so new and updated rows
+	 * always have one, but existing rows pre-migration were backfilled
+	 * without a NOT NULL constraint. Typed as nullable to match the schema.
+	 */
+	last_seen_at: string | null;
 	created_at: string;
 }
 

package/src/emdash-runtime.ts

@@ -19,6 +19,7 @@ import type {
 } from "./astro/integration/runtime.js";
 import type { EmDashManifest, ManifestCollection } from "./astro/types.js";
 import { getAuthMode } from "./auth/mode.js";
+import { getTrustedProxyHeaders } from "./auth/trusted-proxy.js";
 import { isSqlite } from "./database/dialect-helpers.js";
 import { kyselyLogOption } from "./database/instrumentation.js";
 import { runMigrations } from "./database/migrations/runner.js";
@@ -2080,6 +2081,7 @@ export class EmDashRuntime {
 			const routeRegistry = new PluginRouteRegistry({
 				db: this.db,
 				emailPipeline: this.email ?? undefined,
+				trustedProxyHeaders: getTrustedProxyHeaders(this.config),
 			});
 			routeRegistry.register(trustedPlugin);
 
@@ -2321,7 +2323,7 @@ export class EmDashRuntime {
 
 		try {
 			const headers = sanitizeHeadersForSandbox(request.headers);
-			const meta = extractRequestMeta(request);
+			const meta = extractRequestMeta(request, this.config);
 			const result = await plugin.invokeRoute(routeName, body, {
 				url: request.url,
 				method: request.method,

package/src/import/registry.ts

@@ -4,7 +4,7 @@
  * Manages available import sources and provides URL probing.
  */
 
-import { validateExternalUrl } from "./ssrf.js";
+import { resolveAndValidateExternalUrl } from "./ssrf.js";
 import type { ImportSource, ProbeResult, SourceProbeResult } from "./types.js";
 
 // Regex pattern for URL normalization
@@ -63,8 +63,9 @@ export async function probeUrl(url: string): Promise<ProbeResult> {
 	// Remove trailing slash for consistency
 	normalizedUrl = normalizedUrl.replace(TRAILING_SLASHES_PATTERN, "");
 
-	// SSRF: reject internal/private network targets
-	validateExternalUrl(normalizedUrl);
+	// SSRF: reject internal/private network targets. DNS resolution
+	// catches hostnames that resolve to private addresses.
+	await resolveAndValidateExternalUrl(normalizedUrl);
 
 	const results: SourceProbeResult[] = [];
 	const urlSources = getUrlSources();