ghost 5.130.0 → 5.130.2

package/core/built/admin/assets/{vendor-c89102f24c3d9502e9db741509767580.js → vendor-aed0068cf9b67d042dd23a6343545b7b.js}

@@ -9553,4 +9553,4 @@ e.default=class{constructor(e){if(this._data=new t.default,e)for(let t=0;t<e.len
 return this}get(e){let t=this._data[e]
 return t===r.UNDEFINED_KEY?void 0:t}set(e,t){return this._data[e]=t,this}delete(e){return this._data[e]=r.UNDEFINED_KEY,!0}}})
 
-//# sourceMappingURL=vendor-1552b6fd843e2f460183ad9424be2a2d.map
+//# sourceMappingURL=vendor-326b46cbc2845d47f1e0af43ba21caec.map

package/core/built/admin/index.html

@@ -6,7 +6,7 @@
     <title>Ghost</title>
 
     
-<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22cdnUrl%22%3A%22%22%2C%22editorUrl%22%3A%22%22%2C%22rootURL%22%3A%22%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%225.130%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%2C%22editorFilename%22%3A%22koenig-lexical.umd.js%22%2C%22editorHash%22%3A%2237bd1e3e4d%22%2C%22adminXSettingsFilename%22%3A%22admin-x-settings.js%22%2C%22adminXSettingsHash%22%3A%2262b55e2aae%22%2C%22adminXActivitypubFilename%22%3A%22admin-x-activitypub.js%22%2C%22adminXActivitypubHash%22%3A%226d96d71fe8%22%2C%22postsFilename%22%3A%22posts.js%22%2C%22postsHash%22%3A%223ad9cd1892%22%2C%22statsFilename%22%3A%22stats.js%22%2C%22statsHash%22%3A%22701e8fc366%22%2C%22adminXActivitypubCustomUrl%22%3A%22https%3A%2F%2Fcdn.jsdelivr.net%2Fghost%2Fadmin-x-activitypub%400%2Fdist%2Fadmin-x-activitypub.js%22%7D" />
+<meta name="ghost-admin/config/environment" content="%7B%22modulePrefix%22%3A%22ghost-admin%22%2C%22environment%22%3A%22production%22%2C%22cdnUrl%22%3A%22%22%2C%22editorUrl%22%3A%22%22%2C%22rootURL%22%3A%22%22%2C%22locationType%22%3A%22trailing-hash%22%2C%22EmberENV%22%3A%7B%22FEATURES%22%3A%7B%7D%2C%22EXTEND_PROTOTYPES%22%3A%7B%22Date%22%3Afalse%2C%22Array%22%3Atrue%2C%22String%22%3Atrue%2C%22Function%22%3Afalse%7D%2C%22_APPLICATION_TEMPLATE_WRAPPER%22%3Afalse%2C%22_JQUERY_INTEGRATION%22%3Atrue%2C%22_TEMPLATE_ONLY_GLIMMER_COMPONENTS%22%3Atrue%7D%2C%22APP%22%3A%7B%22version%22%3A%225.130%22%2C%22name%22%3A%22ghost-admin%22%7D%2C%22ember-simple-auth%22%3A%7B%7D%2C%22%40sentry%2Fember%22%3A%7B%22disablePerformance%22%3Atrue%2C%22sentry%22%3A%7B%7D%7D%2C%22ember-cli-mirage%22%3A%7B%22usingProxy%22%3Afalse%2C%22useDefaultPassthroughs%22%3Atrue%7D%2C%22exportApplicationGlobal%22%3Afalse%2C%22ember-load%22%3A%7B%22loadingIndicatorClass%22%3A%22ember-load-indicator%22%7D%2C%22editorFilename%22%3A%22koenig-lexical.umd.js%22%2C%22editorHash%22%3A%2237bd1e3e4d%22%2C%22adminXSettingsFilename%22%3A%22admin-x-settings.js%22%2C%22adminXSettingsHash%22%3A%223291c981c1%22%2C%22adminXActivitypubFilename%22%3A%22admin-x-activitypub.js%22%2C%22adminXActivitypubHash%22%3A%22b38d27bb5e%22%2C%22postsFilename%22%3A%22posts.js%22%2C%22postsHash%22%3A%229a7e1b885b%22%2C%22statsFilename%22%3A%22stats.js%22%2C%22statsHash%22%3A%225445ed6ca9%22%2C%22adminXActivitypubCustomUrl%22%3A%22https%3A%2F%2Fcdn.jsdelivr.net%2Fghost%2Fadmin-x-activitypub%400%2Fdist%2Fadmin-x-activitypub.js%22%7D" />
 
     <meta name="viewport" content="user-scalable=no, width=device-width, initial-scale=1, maximum-scale=1, minimal-ui, viewport-fit=cover" />
     <meta name="pinterest" content="nopin" />
@@ -47,9 +47,9 @@
 
     <div id="ember-basic-dropdown-wormhole"></div>
 
-    <script src="assets/vendor-c89102f24c3d9502e9db741509767580.js"></script>
-<script src="assets/chunk.728.214803966b81ffdb1acd.js"></script>
-<script src="assets/chunk.524.2443bfd380e6da0cbabd.js"></script>
-    <script src="assets/ghost-5d9c65b5c4ef960a664cd664b2616dea.js"></script>
+    <script src="assets/vendor-aed0068cf9b67d042dd23a6343545b7b.js"></script>
+<script src="assets/chunk.728.985c45ad584b4b91ca60.js"></script>
+<script src="assets/chunk.524.1f2faf572078e5b86b09.js"></script>
+    <script src="assets/ghost-280b83af263b51bc4d6ce5bd8f536096.js"></script>
 </body>
 </html>

package/core/frontend/web/middleware/frontend-caching.js

@@ -51,6 +51,11 @@ const getMiddleware = async (getFreeTier = async () => {
             return shared.middleware.cacheControl('private')(req, res, next);
         }
 
+        // CASE: Never cache preview routes
+        if (req.path?.startsWith('/p/')) {
+            return shared.middleware.cacheControl('noCache')(req, res, next);
+        }
+
         // CASE: Cache member's content if this feature is enabled
         if (req.member && shouldCacheMembersContent) {
             // Set the 'cache-control' header to 'public'
@@ -74,4 +79,4 @@ const getMiddleware = async (getFreeTier = async () => {
 module.exports = {
     getMiddleware,
     calculateMemberTier // exported for testing
-};
+};

package/core/frontend/web/middleware/static-theme.js

@@ -59,12 +59,10 @@ function forwardToExpressStatic(req, res, next) {
         return next();
     }
 
-    const configMaxAge = config.get('caching:theme:maxAge');
-
-    // @NOTE: the maxAge config passed below are in milliseconds and the config
-    //        is specified in seconds. See https://github.com/expressjs/serve-static/issues/150 for more context
     express.static(themeEngine.getActive().path, {
-        maxAge: (configMaxAge || configMaxAge === 0) ? configMaxAge : (365 * 24 * 60 * 60 * 1000) // Default to 1 year in ms
+        // @NOTE: the maxAge config passed below are in milliseconds and the config
+        //        is specified in seconds. See https://github.com/expressjs/serve-static/issues/150 for more context
+        maxAge: config.get('caching:theme:maxAge') * 1000
     }
     )(req, res, next);
 }

package/core/server/data/tinybird/README.md

@@ -31,7 +31,7 @@ with the following information.
 
 ### Config
 Sample config:
-```json
+```jsonc
 {
    "someOtherConfigurationForEmail": {
         "transport": "SMTP",
@@ -40,25 +40,20 @@ Sample config:
         }
     },
     "tinybird": {
+        "workspaceId": "workspace-id-from-tinybird",
+        "adminToken": "admin-token-from-tinybird",
         "tracker": {
-            "endpoint": "https://e.ghost.org/tb/web_analytics",
-            "token": "xxxxx",
-            "datasource": "analytics_events",
-            "local": {
-                "enabled": true,
-                "token": "xxxxx",
-                "endpoint": "http://localhost:7181/v0/events",
-                "datasource": "analytics_events"
-            }
+            // -- needs to be present, and required Traffic Analytics service running with correct setup
+            "endpoint": "http://localhost:3000/tb/web_analytics"
         },
         "stats": {
+            //  -- optional override for site uuid
+            // "id": "106a623d-9792-4b63-acde-4a0c28ead3dc",
             "endpoint": "https://api.tinybird.co",
-            "token": "xxxxx",
+            // -- tinybird local configuration (optional)
             "local": {
                 "enabled": true,
-                "token": "xxxxx",
-                "endpoint": "http://localhost:7181",
-                "datasource": "analytics_events"
+                "token": "local-stats-or-admin-token",
             }
         }
     }

package/core/server/services/members/members-api/controllers/RouterController.js

@@ -4,6 +4,7 @@ const sanitizeHtml = require('sanitize-html');
 const {BadRequestError, NoPermissionError, UnauthorizedError, DisabledFeatureError, NotFoundError} = require('@tryghost/errors');
 const errors = require('@tryghost/errors');
 const {isEmail} = require('@tryghost/validator');
+const normalizeEmail = require('../utils/normalize-email');
 
 const messages = {
     emailRequired: 'Email is required.',
@@ -585,6 +586,23 @@ module.exports = class RouterController {
             });
         }
 
+        // Normalize email to prevent homograph attacks
+        let normalizedEmail;
+
+        try {
+            normalizedEmail = normalizeEmail(email);
+
+            if (normalizedEmail !== email) {
+                logging.info(`Email normalized from ${email} to ${normalizedEmail} for magic link`);
+            }
+        } catch (err) {
+            logging.error(`Failed to normalize [${email}]: ${err.message}`);
+
+            throw new errors.BadRequestError({
+                message: tpl(messages.invalidEmail)
+            });
+        }
+
         if (honeypot) {
             logging.warn('Honeypot field filled, this is likely a bot');
 
@@ -606,9 +624,9 @@ module.exports = class RouterController {
 
         try {
             if (emailType === 'signup' || emailType === 'subscribe') {
-                await this._handleSignup(req, referrer);
+                await this._handleSignup(req, normalizedEmail, referrer);
             } else {
-                await this._handleSignin(req, referrer);
+                await this._handleSignin(req, normalizedEmail, referrer);
             }
 
             res.writeHead(201);
@@ -626,7 +644,7 @@ module.exports = class RouterController {
         }
     }
 
-    async _handleSignup(req, referrer = null) {
+    async _handleSignup(req, normalizedEmail, referrer = null) {
         if (!this._allowSelfSignup()) {
             if (this._settingsCache.get('members_signup_access') === 'paid') {
                 throw new errors.BadRequestError({
@@ -640,14 +658,14 @@ module.exports = class RouterController {
         }
 
         const blockedEmailDomains = this._settingsCache.get('all_blocked_email_domains');
-        const emailDomain = req.body.email.split('@')[1]?.toLowerCase();
+        const emailDomain = normalizedEmail.split('@')[1]?.toLowerCase();
         if (emailDomain && blockedEmailDomains.includes(emailDomain)) {
             throw new errors.BadRequestError({
                 message: tpl(messages.blockedEmailDomain)
             });
         }
 
-        const {email, emailType} = req.body;
+        const {emailType} = req.body;
 
         const tokenData = {
             labels: req.body.labels,
@@ -657,13 +675,13 @@ module.exports = class RouterController {
             attribution: await this._memberAttributionService.getAttribution(req.body.urlHistory)
         };
 
-        return await this._sendEmailWithMagicLink({email, tokenData, requestedType: emailType, referrer});
+        return await this._sendEmailWithMagicLink({email: normalizedEmail, tokenData, requestedType: emailType, referrer});
     }
 
-    async _handleSignin(req, referrer = null) {
-        const {email, emailType} = req.body;
+    async _handleSignin(req, normalizedEmail, referrer = null) {
+        const {emailType} = req.body;
 
-        const member = await this._memberRepository.get({email});
+        const member = await this._memberRepository.get({email: normalizedEmail});
 
         if (!member) {
             throw new errors.BadRequestError({
@@ -672,7 +690,7 @@ module.exports = class RouterController {
         }
 
         const tokenData = {};
-        return await this._sendEmailWithMagicLink({email, tokenData, requestedType: emailType, referrer});
+        return await this._sendEmailWithMagicLink({email: normalizedEmail, tokenData, requestedType: emailType, referrer});
     }
 
     /**

package/core/server/services/members/members-api/utils/normalize-email.js

@@ -0,0 +1,31 @@
+const punycode = require('punycode/');
+
+/**
+ * Normalizes email addresses by converting Unicode domains to ASCII (punycode)
+ * This prevents homograph attacks where Unicode characters are used to spoof
+ * domains
+ *
+ * @param {string} email The email address to normalize
+ * @returns {string} The normalized email address
+ * @throws {Error} When punycode conversion fails
+ */
+function normalizeEmail(email) {
+    if (!email || typeof email !== 'string') {
+        return null;
+    }
+
+    const atIndex = email.lastIndexOf('@');
+
+    if (atIndex === -1) {
+        return email;
+    }
+
+    const localPart = email.substring(0, atIndex);
+    const domainPart = email.substring(atIndex + 1);
+
+    const asciiDomain = punycode.toASCII(domainPart);
+
+    return `${localPart}@${asciiDomain}`;
+}
+
+module.exports = normalizeEmail;

package/core/server/services/public-config/config.js

@@ -29,7 +29,6 @@ module.exports = function getConfigProperties() {
         configProperties.exploreTestimonialsUrl = config.get('explore:testimonials_url');
     }
 
-    // WIP tinybird stats feature - it's entirely config driven instead of using an alpha flag for now
     if (config.get('tinybird') && config.get('tinybird:stats')) {
         const statsConfig = config.get('tinybird:stats');
         const siteUuid = statsConfig.id || settingsCache.get('site_uuid');

package/core/server/web/admin/app.js

@@ -19,16 +19,15 @@ module.exports = function setupAdminApp() {
     const adminApp = express('admin');
 
     // Admin assets
-    // @TODO ensure this gets a local 404 error handler
-    const configMaxAge = config.get('caching:admin:maxAge');
     // @NOTE: when we start working on HTTP/3 optimizations the immutable headers
     //        produced below should be split into separate 'Cache-Control' entry.
     //        For reference see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Caching#validation_2
-    // @NOTE: the maxAge config passed below are in milliseconds and the config
-    //        is specified in seconds. See https://github.com/expressjs/serve-static/issues/150 for more context
+
     adminApp.use('/assets', serveStatic(
         path.join(config.get('paths').adminAssets, 'assets'), {
-            maxAge: (configMaxAge || configMaxAge === 0) ? configMaxAge : (365 * 24 * 60 * 60 * 1000), // Default to 1 year in ms
+            // @NOTE: the maxAge config passed below are in milliseconds and the config
+            //        is specified in seconds. See https://github.com/expressjs/serve-static/issues/150 for more context
+            maxAge: config.get('caching:admin:maxAge') * 1000,
             immutable: true,
             fallthrough: false
         }
@@ -94,4 +93,4 @@ module.exports = function setupAdminApp() {
     debug('Admin setup end');
 
     return adminApp;
-};
+};

package/core/server/web/shared/middleware/cache-control.js

@@ -9,7 +9,7 @@
 const isString = require('lodash/isString');
 
 /**
- * @param {'public'|'private'} profile Use "private" if you do not want caching
+ * @param {'public'|'private'|'noCache'} profile Use "private" if you do not want caching
  * @param {object} [options]
  * @param {number} [options.maxAge] The max-age in seconds to use when profile is "public"
  * @param {number} [options.staleWhileRevalidate] The stale-while-revalidate in seconds to use when profile is "public"
@@ -24,6 +24,7 @@ const cacheControl = (profile, options = {maxAge: 0}) => {
 
     const profiles = {
         public: publicOptions.filter(option => option).join(', '),
+        noCache: 'no-cache, max-age=0, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0',
         private: 'no-cache, private, no-store, must-revalidate, max-stale=0, post-check=0, pre-check=0'
     };
 

package/core/shared/config/defaults.json

@@ -168,6 +168,12 @@
         },
         "commentsCountAPI": {
             "maxAge": 0
+        },
+        "admin": {
+            "maxAge": 31536000
+        },
+        "theme": {
+            "maxAge": 31536000
         }
     },
     "optimization": {

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "5.130.0",
+  "version": "5.130.2",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",
@@ -86,7 +86,7 @@
     "@tryghost/helpers": "1.1.97",
     "@tryghost/html-to-plaintext": "1.0.4",
     "@tryghost/http-cache-utils": "0.1.20",
-    "@tryghost/i18n": "file:components/tryghost-i18n-5.130.0.tgz",
+    "@tryghost/i18n": "file:components/tryghost-i18n-5.130.2.tgz",
     "@tryghost/image-transform": "1.4.6",
     "@tryghost/job-manager": "1.0.3",
     "@tryghost/kg-card-factory": "5.1.2",
@@ -136,9 +136,9 @@
     "clsx": "2.1.1",
     "cluster-key-slot": "1.1.2",
     "common-tags": "1.8.2",
-    "compression": "1.8.0",
+    "compression": "1.8.1",
     "connect-slashes": "1.4.0",
-    "cookie-session": "2.1.0",
+    "cookie-session": "2.1.1",
     "cookies": "0.9.1",
     "cors": "2.8.5",
     "countries-and-timezones": "3.8.0",
@@ -155,9 +155,9 @@
     "express-lazy-router": "1.0.6",
     "express-query-boolean": "2.0.0",
     "express-queue": "0.0.13",
-    "express-session": "1.18.1",
+    "express-session": "1.18.2",
     "file-type": "16.5.4",
-    "form-data": "4.0.3",
+    "form-data": "4.0.4",
     "fs-extra": "11.3.0",
     "ghost-storage-base": "1.0.0",
     "glob": "8.1.0",
@@ -196,7 +196,7 @@
     "mime-types": "2.1.35",
     "moment": "2.24.0",
     "moment-timezone": "0.5.45",
-    "multer": "2.0.1",
+    "multer": "2.0.2",
     "mysql2": "3.14.2",
     "nconf": "0.13.0",
     "node-fetch": "2.7.0",
@@ -245,7 +245,7 @@
     "detect-newline": "3.1.0",
     "expect": "29.7.0",
     "find-root": "1.1.0",
-    "form-data": "4.0.3",
+    "form-data": "4.0.4",
     "html-minifier": "4.0.0",
     "html-validate": "8.29.0",
     "inquirer": "8.2.6",
@@ -274,7 +274,7 @@
     "jackspeak": "2.3.6",
     "moment": "2.24.0",
     "moment-timezone": "0.5.45",
-    "@tryghost/i18n": "file:components/tryghost-i18n-5.130.0.tgz"
+    "@tryghost/i18n": "file:components/tryghost-i18n-5.130.2.tgz"
   },
   "nx": {
     "targets": {