ep_hide_referrer 0.0.60 → 0.0.62

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -26,7 +26,7 @@ jobs:
26
26
  with:
27
27
  repository: ether/etherpad-lite
28
28
  path: etherpad-lite
29
- - uses: pnpm/action-setup@v3
29
+ - uses: pnpm/action-setup@v6
30
30
  name: Install pnpm
31
31
  with:
32
32
  version: 10
@@ -15,7 +15,8 @@ jobs:
15
15
  uses: actions/checkout@v6
16
16
  with:
17
17
  repository: ether/etherpad-lite
18
- - uses: pnpm/action-setup@v3
18
+ path: etherpad-lite
19
+ - uses: pnpm/action-setup@v6
19
20
  name: Install pnpm
20
21
  with:
21
22
  version: 10
@@ -32,63 +33,36 @@ jobs:
32
33
  restore-keys: |
33
34
  ${{ runner.os }}-pnpm-store-
34
35
  -
35
- name: Check out the plugin
36
+ name: Checkout plugin repository
36
37
  uses: actions/checkout@v6
37
38
  with:
38
- path: ./node_modules/__tmp
39
- -
40
- name: export GIT_HASH to env
41
- id: environment
42
- run: |
43
- cd ./node_modules/__tmp
44
- echo "::set-output name=sha_short::$(git rev-parse --short ${{ github.sha }})"
45
- -
46
- name: Determine plugin name
47
- id: plugin_name
48
- run: |
49
- cd ./node_modules/__tmp
50
- npx -c 'printf %s\\n "::set-output name=plugin_name::${npm_package_name}"'
51
- -
52
- name: Rename plugin directory
53
- env:
54
- PLUGIN_NAME: ${{ steps.plugin_name.outputs.plugin_name }}
55
- run: |
56
- mv ./node_modules/__tmp ./node_modules/"${PLUGIN_NAME}"
57
- -
58
- name: Install plugin dependencies
59
- env:
60
- PLUGIN_NAME: ${{ steps.plugin_name.outputs.plugin_name }}
61
- run: |
62
- cd ./node_modules/"${PLUGIN_NAME}"
63
- pnpm i
64
- # Etherpad core dependencies must be installed after installing the
65
- # plugin's dependencies, otherwise npm will try to hoist common
66
- # dependencies by removing them from src/node_modules and installing them
67
- # in the top-level node_modules. As of v6.14.10, npm's hoist logic appears
68
- # to be buggy, because it sometimes removes dependencies from
69
- # src/node_modules but fails to add them to the top-level node_modules.
70
- # Even if npm correctly hoists the dependencies, the hoisting seems to
71
- # confuse tools such as `npm outdated`, `npm update`, and some ESLint
72
- # rules.
39
+ path: plugin
73
40
  -
74
41
  name: Install Etherpad core dependencies
42
+ working-directory: ./etherpad-lite
75
43
  run: bin/installDeps.sh
44
+ - name: Install plugin
45
+ working-directory: ./etherpad-lite
46
+ run: |
47
+ pnpm run plugins i --path ../../plugin
76
48
  - name: Create settings.json
49
+ working-directory: ./etherpad-lite
77
50
  run: cp ./src/tests/settings.json settings.json
78
51
  - name: Run the frontend tests
52
+ working-directory: ./etherpad-lite
79
53
  shell: bash
80
54
  run: |
81
55
  pnpm run dev &
82
56
  connected=false
83
57
  can_connect() {
84
- curl -sSfo /dev/null http://localhost:9001/ || return 1
85
- connected=true
58
+ curl -sSfo /dev/null http://localhost:9001/ || return 1
59
+ connected=true
86
60
  }
87
61
  now() { date +%s; }
88
62
  start=$(now)
89
- while [ $(($(now) - $start)) -le 15 ] && ! can_connect; do
90
- sleep 1
63
+ while [ $(($(now) - $start)) -le 30 ] && ! can_connect; do
64
+ sleep 1
91
65
  done
92
66
  cd src
93
- pnpm exec playwright install chromium --with-deps
67
+ pnpm exec playwright install chromium --with-deps
94
68
  pnpm run test-ui --project=chromium
@@ -31,7 +31,7 @@ jobs:
31
31
  uses: actions/checkout@v6
32
32
  with:
33
33
  repository: ether/etherpad-lite
34
- - uses: pnpm/action-setup@v5
34
+ - uses: pnpm/action-setup@v6
35
35
  name: Install pnpm
36
36
  with:
37
37
  version: 10
@@ -59,12 +59,20 @@ jobs:
59
59
  [ "${NEW_COMMITS}" -gt 0 ] || exit 0
60
60
  git config user.name 'github-actions[bot]'
61
61
  git config user.email '41898282+github-actions[bot]@users.noreply.github.com'
62
- pnpm i
62
+ pnpm i --frozen-lockfile
63
63
  # `pnpm version patch` bumps package.json, makes a commit, and creates
64
64
  # a `v<new-version>` tag. Capture the new tag name from package.json
65
65
  # rather than parsing pnpm's output, which has historically varied.
66
- pnpm version patch
67
- NEW_TAG="v$(node -p "require('./package.json').version")"
66
+ # Bump the patch component directly with Node. pnpm/action-setup@v6
67
+ # sometimes installs pnpm 11 pre-releases even when version: 10.x is
68
+ # requested (pnpm/action-setup#225); those pre-releases either skip
69
+ # the git commit/tag or reject --no-git-tag-version as unknown.
70
+ # Doing the bump in Node sidesteps both failure modes.
71
+ NEW_VERSION=$(node -e "const fs=require('fs');const p=require('./package.json');const v=p.version.split('.');v[2]=String(Number(v[2])+1);p.version=v.join('.');fs.writeFileSync('./package.json',JSON.stringify(p,null,2)+'\n');console.log(p.version);")
72
+ NEW_TAG="v${NEW_VERSION}"
73
+ git add package.json
74
+ git commit -m "${NEW_TAG}"
75
+ git tag -a "${NEW_TAG}" -m "${NEW_TAG}"
68
76
  # CRITICAL: use --atomic so the branch update and the tag update
69
77
  # succeed (or fail) as a single transaction on the server. The old
70
78
  # `git push --follow-tags` was non-atomic per ref: if a concurrent
package/README.md CHANGED
@@ -1,3 +1,20 @@
1
1
  ![Publish Status](https://github.com/ether/ep_hide_referrer/workflows/Node.js%20Package/badge.svg) [![Backend Tests Status](https://github.com/ether/ep_hide_referrer/actions/workflows/test-and-release.yml/badge.svg)](https://github.com/ether/ep_hide_referrer/actions/workflows/test-and-release.yml)
2
2
 
3
3
  A patch to solve the [referrer leak issue](https://github.com/ether/etherpad-lite/issues/1603) (for applications where the pad id is should be confidential)
4
+
5
+ ## Installation
6
+
7
+ Install from the Etherpad admin UI (**Admin → Manage Plugins**,
8
+ search for `ep_hide_referrer` and click *Install*), or from the Etherpad
9
+ root directory:
10
+
11
+ ```sh
12
+ pnpm run plugins install ep_hide_referrer
13
+ ```
14
+
15
+ > ⚠️ Don't run `npm i` / `npm install` yourself from the Etherpad
16
+ > source tree — Etherpad tracks installed plugins through its own
17
+ > plugin-manager, and hand-editing `package.json` can leave the
18
+ > server unable to start.
19
+
20
+ After installing, restart Etherpad.
package/package.json CHANGED
@@ -1,7 +1,7 @@
1
1
  {
2
2
  "name": "ep_hide_referrer",
3
3
  "description": "Don't pass the referring URL to third parties. This handles the security/privacy issue where you don't want the third party service to know your pad URL. Improves Privacy.",
4
- "version": "0.0.60",
4
+ "version": "0.0.62",
5
5
  "author": "johnyma22 (John McLear) <john@mclear.co.uk>",
6
6
  "contributors": [],
7
7
  "repository": {
@@ -17,8 +17,8 @@
17
17
  },
18
18
  "devDependencies": {
19
19
  "eslint": "^8.57.1",
20
- "eslint-config-etherpad": "^4.0.4",
21
- "typescript": "^6.0.2"
20
+ "eslint-config-etherpad": "^4.0.5",
21
+ "typescript": "^6.0.3"
22
22
  },
23
23
  "scripts": {
24
24
  "lint": "eslint .",
@@ -4,20 +4,20 @@ exports.postAceInit = (hook, context) => {
4
4
  const $inner =
5
5
  $('iframe[name="ace_outer"]').contents().find('iframe').contents().find('#innerdocbody');
6
6
  $inner.on('click', 'a', (e) => {
7
- window.open(`../redirect#${escape(e.currentTarget.href)}`);
7
+ window.open(`../redirect#${encodeURIComponent(e.currentTarget.href)}`);
8
8
  e.preventDefault();
9
9
  return false;
10
10
  });
11
11
 
12
12
  $inner.on('contextmenu', 'a', function (e) {
13
- $(this).attr('href', `../redirect#${escape(e.currentTarget.href)}`);
13
+ $(this).attr('href', `../redirect#${encodeURIComponent(e.currentTarget.href)}`);
14
14
  });
15
15
 
16
16
  $('#chattext').on('click', 'a', function (e) {
17
17
  if ($(this).hasClass('no-referrer')) {
18
18
  window.open(e.currentTarget.href);
19
19
  } else {
20
- window.open(`../redirect#${escape(e.currentTarget.href)}`);
20
+ window.open(`../redirect#${encodeURIComponent(e.currentTarget.href)}`);
21
21
  }
22
22
  e.preventDefault();
23
23
  return false;
@@ -27,14 +27,14 @@ exports.postAceInit = (hook, context) => {
27
27
  if (!$(this).hasClass('no-referrer')) {
28
28
  $(this).attr('rel', 'noreferrer');
29
29
  $(this).addClass('no-referrer');
30
- $(this).attr('href', `../redirect#${escape(e.currentTarget.href)}`);
30
+ $(this).attr('href', `../redirect#${encodeURIComponent(e.currentTarget.href)}`);
31
31
  }
32
32
  });
33
33
  };
34
34
 
35
35
  exports.postTimesliderInit = (hook, context) => {
36
36
  $('#padcontent').on('click', 'a', (e) => {
37
- window.open(`../../redirect#${escape(e.currentTarget.href)}`);
37
+ window.open(`../../redirect#${encodeURIComponent(e.currentTarget.href)}`);
38
38
  e.preventDefault();
39
39
  return false;
40
40
  });
@@ -0,0 +1,51 @@
1
+ 'use strict';
2
+
3
+ const assert = require('assert').strict;
4
+ const fs = require('fs');
5
+ const path = require('path');
6
+ const common = require('ep_etherpad-lite/tests/backend/common');
7
+
8
+ let agent;
9
+
10
+ describe(__filename, function () {
11
+ before(async function () {
12
+ agent = await common.init();
13
+ });
14
+
15
+ describe('GET /redirect', function () {
16
+ it('serves the redirect template (regression for #80: no double-decode)', async function () {
17
+ const res = await agent.get('/redirect').expect(200).expect('Content-Type', /html/);
18
+ const html = res.text;
19
+ // The fix removes unescape() and decodes exactly once. If somebody
20
+ // re-introduces unescape() or a second decodeURIComponent(), we want
21
+ // the test to fail before users hit broken Google Maps Plus Code URLs
22
+ // again.
23
+ assert(!/\bunescape\s*\(/.test(html), 'redirect template must not use unescape()');
24
+ const decodeCount = (html.match(/decodeURIComponent\s*\(/g) || []).length;
25
+ assert.equal(decodeCount, 1,
26
+ `redirect template must call decodeURIComponent exactly once (found ${decodeCount})`);
27
+ });
28
+ });
29
+
30
+ describe('encode/decode round-trip', function () {
31
+ // The plugin's static/js/index.js wraps the target href with
32
+ // encodeURIComponent and the redirect template decodes once. This test
33
+ // pins down the property the fix relies on: round-tripping must be
34
+ // lossless for URLs containing percent-encoded characters that would
35
+ // otherwise be reinterpreted by a second decode pass.
36
+ const cases = [
37
+ // Issue #80 — Google Maps Plus Code (the original bug report).
38
+ 'https://www.google.com/maps/place/G98H%2BG38%20Berlin%2C%20Deutschland',
39
+ // Common URL forms with reserved chars.
40
+ 'https://example.com/path?q=a%20b&x=1%2B2',
41
+ 'https://example.com/path/with%2Fslash',
42
+ 'mailto:user@example.com?subject=Hello%20World',
43
+ ];
44
+ for (const url of cases) {
45
+ it(`preserves: ${url}`, function () {
46
+ const round = decodeURIComponent(encodeURIComponent(url));
47
+ assert.equal(round, url);
48
+ });
49
+ }
50
+ });
51
+ });
@@ -7,13 +7,22 @@
7
7
  <script type="text/javascript">
8
8
  window.redir_onload = function() {
9
9
  var urlhash = location.hash.substr(1);
10
- if (urlhash.search(':') < 0) {
11
- urlhash = unescape(urlhash);
12
- }
13
10
 
14
11
  var the_content = document.getElementById('content');
15
12
  if (urlhash) {
16
- urlhash = decodeURIComponent(urlhash);
13
+ // The link generator (static/js/index.js) wraps the target URL with
14
+ // encodeURIComponent, so a single decode restores it. Decoding twice
15
+ // (the previous behavior — see git history of issue #80) breaks any
16
+ // URL whose path or query contains percent-encoded characters that
17
+ // should stay encoded, e.g. Plus Codes like G98H%2BG38 in Google
18
+ // Maps URLs.
19
+ try {
20
+ urlhash = decodeURIComponent(urlhash);
21
+ } catch (e) {
22
+ // Malformed percent-sequence (e.g. manually-crafted URL). Fall
23
+ // through with the raw hash; the safe-scheme check below still
24
+ // protects against unknown schemes.
25
+ }
17
26
 
18
27
  // whitelist "safe" URL and URI schemes, and warn for others
19
28
  safe_regexp = /^(ftps?|https?):\/\/|(about|geo|mailto):/i;