npm - ghost - Versions diffs - 6.44.0 → 6.44.1 - Mend

ghost 6.44.0 → 6.44.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (267) hide show

package/core/server/services/members/members-api/services/token-service.js CHANGED Viewed

@@ -2,6 +2,11 @@ const jose = require('node-jose');
 const jwt = require('jsonwebtoken');
 const crypto = require('crypto');
+// A token's `scope` declares its purpose. Only identity tokens may act as a
+// member; entitlement tokens are read-only and handed to integrations.
+const IDENTITY_TOKEN_SCOPE = 'members:identity';
+const ENTITLEMENT_TOKEN_SCOPE = 'members:entitlements:read';
 module.exports = class TokenService {
     constructor({
         privateKey,
@@ -19,7 +24,8 @@ module.exports = class TokenService {
         const jwk = await this._keyStoreReady;
         return jwt.sign({
             sub,
-            kid: jwk.kid
+            kid: jwk.kid,
+            scope: IDENTITY_TOKEN_SCOPE
         }, this._privateKey, {
             keyid: jwk.kid,
             algorithm: 'RS512',
@@ -40,7 +46,7 @@ module.exports = class TokenService {
         return jwt.sign({
             sub,
             kid: jwk.kid,
-            scope: 'members:entitlements:read',
+            scope: ENTITLEMENT_TOKEN_SCOPE,
             member_uuid: memberUuid,
             paid,
             active_tier_ids: activeTierIds,
@@ -55,6 +61,15 @@ module.exports = class TokenService {
     }
     /**
+     * Decode and verify a member *identity* token.
+     *
+     * Identity and entitlement tokens are signed with the same key and share the
+     * same issuer/audience, so a signature check alone cannot tell them apart.
+     * They are distinguished by `scope`: only tokens scoped `members:identity`
+     * may act as the member. Read-only entitlement tokens
+     * (`members:entitlements:read`) are handed to integrations and must never be
+     * accepted on state-changing endpoints.
+     *
      * @param {string} token
      * @returns {Promise<jwt.JwtPayload>}
      */
@@ -70,6 +85,10 @@ module.exports = class TokenService {
             return {sub: result};
         }
+        if (result.scope !== IDENTITY_TOKEN_SCOPE) {
+            throw new jwt.JsonWebTokenError('Only identity tokens can act as a member');
+        }
         return result;
     }

package/core/server/services/notifications/notification-email.js ADDED Viewed

@@ -0,0 +1,38 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.NotificationEmailService = void 0;
+const sanitize_email_html_1 = require("./sanitize-email-html");
+/**
+ * Renders a notification email in the shared shell and sends it to each
+ * recipient. Recipient resolution is a separate concern handled by the caller.
+ */
+class NotificationEmailService {
+    mailer;
+    generateEmailContent;
+    getSiteUrl;
+    constructor(deps) {
+        this.mailer = deps.mailer;
+        this.generateEmailContent = deps.generateEmailContent;
+        this.getSiteUrl = deps.getSiteUrl;
+    }
+    async send({ to, subject, content }) {
+        if (!to.length) {
+            return;
+        }
+        const message = (0, sanitize_email_html_1.sanitizeEmailHtml)(content);
+        const siteUrl = this.getSiteUrl();
+        for (const recipient of to) {
+            const { html, text } = await this.generateEmailContent({
+                template: 'notification',
+                data: { message, siteUrl, recipientEmail: recipient }
+            });
+            await this.mailer.send({
+                to: recipient,
+                subject,
+                html,
+                ...(text ? { text } : {})
+            });
+        }
+    }
+}
+exports.NotificationEmailService = NotificationEmailService;

package/core/server/services/notifications/notification-email.ts ADDED Viewed

@@ -0,0 +1,66 @@
+import {sanitizeEmailHtml} from './sanitize-email-html';
+interface Mailer {
+    send(options: {to: string; subject: string; html: string; text?: string}): Promise<unknown>;
+}
+interface GenerateEmailContent {
+    (options: {template: string; data: Record<string, unknown>}): Promise<{html: string; text?: string}>;
+}
+export interface NotificationEmailDeps {
+    mailer: Mailer;
+    generateEmailContent: GenerateEmailContent;
+    getSiteUrl: () => string;
+}
+export interface NotificationEmailMessage {
+    /**
+     * Resolved recipient addresses. The service does not decide who receives
+     * the email; callers compose recipients via a separate audience helper.
+     */
+    to: string[];
+    subject: string;
+    /**
+     * Untrusted HTML content. Sanitised before being rendered into the shell,
+     * so the email cannot ship scripts, event handlers or unsafe links even
+     * if the upstream source is compromised.
+     */
+    content: string;
+}
+/**
+ * Renders a notification email in the shared shell and sends it to each
+ * recipient. Recipient resolution is a separate concern handled by the caller.
+ */
+export class NotificationEmailService {
+    private readonly mailer: Mailer;
+    private readonly generateEmailContent: GenerateEmailContent;
+    private readonly getSiteUrl: () => string;
+    constructor(deps: NotificationEmailDeps) {
+        this.mailer = deps.mailer;
+        this.generateEmailContent = deps.generateEmailContent;
+        this.getSiteUrl = deps.getSiteUrl;
+    }
+    async send({to, subject, content}: NotificationEmailMessage): Promise<void> {
+        if (!to.length) {
+            return;
+        }
+        const message = sanitizeEmailHtml(content);
+        const siteUrl = this.getSiteUrl();
+        for (const recipient of to) {
+            const {html, text} = await this.generateEmailContent({
+                template: 'notification',
+                data: {message, siteUrl, recipientEmail: recipient}
+            });
+            await this.mailer.send({
+                to: recipient,
+                subject,
+                html,
+                ...(text ? {text} : {})
+            });
+        }
+    }
+}

package/core/server/services/notifications/sanitize-email-html.js ADDED Viewed

@@ -0,0 +1,37 @@
+"use strict";
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.sanitizeEmailHtml = sanitizeEmailHtml;
+const sanitize_html_1 = __importDefault(require("sanitize-html"));
+// Even though the upstream feed is operated by Ghost org, the resulting HTML
+// is rendered into admin inboxes on the receiving install. A compromised or
+// malformed feed entry must not be able to ship scripts, event handlers, or
+// non-http(s) URLs to recipients via this path.
+const ALLOWED_TAGS = [
+    'p', 'br', 'hr',
+    'strong', 'b', 'em', 'i', 'u', 'code',
+    'a',
+    'ul', 'ol', 'li',
+    'blockquote',
+    'h1', 'h2', 'h3', 'h4'
+];
+const ALLOWED_SCHEMES = ['http', 'https', 'mailto'];
+const SANITIZE_OPTIONS = {
+    allowedTags: ALLOWED_TAGS,
+    allowedAttributes: {
+        a: ['href', 'title', 'target', 'rel']
+    },
+    allowedSchemes: ALLOWED_SCHEMES,
+    allowProtocolRelative: false,
+    transformTags: {
+        a: sanitize_html_1.default.simpleTransform('a', {
+            target: '_blank',
+            rel: 'noopener noreferrer'
+        })
+    }
+};
+function sanitizeEmailHtml(html) {
+    return (0, sanitize_html_1.default)(html, SANITIZE_OPTIONS);
+}

package/core/server/services/notifications/sanitize-email-html.ts ADDED Viewed

@@ -0,0 +1,35 @@
+import sanitizeHtml from 'sanitize-html';
+// Even though the upstream feed is operated by Ghost org, the resulting HTML
+// is rendered into admin inboxes on the receiving install. A compromised or
+// malformed feed entry must not be able to ship scripts, event handlers, or
+// non-http(s) URLs to recipients via this path.
+const ALLOWED_TAGS = [
+    'p', 'br', 'hr',
+    'strong', 'b', 'em', 'i', 'u', 'code',
+    'a',
+    'ul', 'ol', 'li',
+    'blockquote',
+    'h1', 'h2', 'h3', 'h4'
+];
+const ALLOWED_SCHEMES = ['http', 'https', 'mailto'];
+const SANITIZE_OPTIONS: sanitizeHtml.IOptions = {
+    allowedTags: ALLOWED_TAGS,
+    allowedAttributes: {
+        a: ['href', 'title', 'target', 'rel']
+    },
+    allowedSchemes: ALLOWED_SCHEMES,
+    allowProtocolRelative: false,
+    transformTags: {
+        a: sanitizeHtml.simpleTransform('a', {
+            target: '_blank',
+            rel: 'noopener noreferrer'
+        })
+    }
+};
+export function sanitizeEmailHtml(html: string): string {
+    return sanitizeHtml(html, SANITIZE_OPTIONS);
+}

package/core/server/services/route-settings/route-settings.js CHANGED Viewed

@@ -95,20 +95,10 @@ class RouteSettings {
         await this.createBackupFile(this.settingsPath, this.backupPath);
         await this.saveFile(filePath, this.settingsPath);
-        const isLazy = urlService.facade.isLazy();
-        const resetUrlState = () => {
-            if (isLazy) {
-                // Drop registered router configs; reloadFrontend re-registers them.
-                urlService.facade.reset();
-            } else {
-                urlService.resetGenerators({releaseResourcesOnly: true});
-            }
-        };
-        resetUrlState();
+        urlService.resetGenerators({releaseResourcesOnly: true});
         const bringBackValidRoutes = async () => {
-            resetUrlState();
+            urlService.resetGenerators({releaseResourcesOnly: true});
             await this.restoreBackupFile(this.settingsPath, this.backupPath);
@@ -124,12 +114,6 @@ class RouteSettings {
                 });
         }
-        // The lazy URL service has nothing to precompute, so the readiness
-        // poll below is unnecessary; hasFinished() returns true immediately.
-        if (isLazy) {
-            return;
-        }
         // @TODO: how can we get rid of this from here?
         let tries = 0;

package/core/server/services/route-settings/validate.js CHANGED Viewed

@@ -429,7 +429,8 @@ module.exports = function validate(object) {
     }
     // TODO: extract this config outta here! the config should be passed into this module
-    RESOURCE_CONFIG = require('../../../frontend/services/routing/config');
+    const {QUERY, TAXONOMIES} = require('../../../frontend/services/routing/config');
+    RESOURCE_CONFIG = {QUERY, TAXONOMIES};
     object.routes = _private.validateRoutes(object.routes);
     object.collections = _private.validateCollections(object.collections);

package/core/server/services/update-check/index.js CHANGED Viewed

@@ -11,6 +11,7 @@ const databaseInfo = require('../../data/db/info');
 const request = require('@tryghost/request');
 const ghostVersion = require('@tryghost/version');
 const UpdateCheckService = require('./update-check-service');
+const {NotificationEmailService} = require('../notifications/notification-email');
 /**
  * Initializes and triggers update check
@@ -34,8 +35,14 @@ module.exports = async ({
         }
     }
-    const {GhostMailer} = require('../mail');
-    const ghostMailer = new GhostMailer();
+    const mailService = require('../mail');
+    const ghostMailer = new mailService.GhostMailer();
+    const notificationEmailService = new NotificationEmailService({
+        mailer: ghostMailer,
+        generateEmailContent: mailService.utils.generateContent,
+        getSiteUrl: () => urlUtils.urlFor('home', true)
+    });
     const updateChecker = new UpdateCheckService({
         api: {
@@ -66,7 +73,7 @@ module.exports = async ({
             rethrowErrors
         },
         request,
-        sendEmail: ghostMailer.send.bind(ghostMailer)
+        notificationEmailService
     });
     await updateChecker.check();

package/core/server/services/update-check/update-check-service.js CHANGED Viewed

@@ -50,14 +50,14 @@ class UpdateCheckService {
      * @param {boolean} [options.config.forceUpdate]
      * @param {string} options.config.ghostVersion - Ghost instance version
      * @param {Function} options.request - a HTTP request proxy function
-     * @param {Function} options.sendEmail - function handling sending an email
+     * @param {Object} options.notificationEmailService - service that sends a sanitised, shell-rendered notification email to a recipient list
     */
-    constructor({api, config, request, sendEmail}) {
+    constructor({api, config, request, notificationEmailService}) {
         this.api = api;
         this.config = config;
         this.logging = logging;
         this.request = request;
-        this.sendEmail = sendEmail;
+        this.notificationEmailService = notificationEmailService;
     }
     nextCheckTimestamp() {
@@ -315,15 +315,6 @@ class UpdateCheckService {
         }
         debug(`creating custom notifications for ${notification.messages.length} notifications`);
-        const {users} = await this.api.users.browse(Object.assign({
-            limit: 'all',
-            include: ['roles'],
-            filter: 'status:active'
-        }, internal));
-        const adminEmails = users
-            .filter(user => ['Owner', 'Administrator'].includes(user.roles[0].name))
-            .map(user => user.email);
         const siteUrl = this.config.siteUrl;
@@ -340,19 +331,21 @@ class UpdateCheckService {
             };
             if (toAdd.type === 'alert') {
-                for (const email of adminEmails) {
-                    try {
-                        this.sendEmail({
-                            to: email,
-                            subject: `Action required: Critical alert from Ghost instance ${siteUrl}`,
-                            html: toAdd.message,
-                            forceTextContent: true
-                        });
-                    } catch (err) {
-                        this.logging.error(err);
-                        if (this.config.rethrowErrors) {
-                            throw err;
-                        }
+                try {
+                    const {users} = await this.api.users.browse({
+                        filter: 'status:active+roles.name:[Owner,Administrator]',
+                        ...internal
+                    });
+                    const to = users.map(user => user.email);
+                    await this.notificationEmailService.send({
+                        to,
+                        subject: `Action required: Critical alert from Ghost instance ${siteUrl}`,
+                        content: toAdd.message
+                    });
+                } catch (err) {
+                    this.logging.error(err);
+                    if (this.config.rethrowErrors) {
+                        throw err;
                     }
                 }
             }

package/core/server/services/url/index.js CHANGED Viewed

@@ -2,7 +2,6 @@ const config = require('../../../shared/config');
 const LocalFileCache = require('./local-file-cache');
 const UrlService = require('./url-service');
 const UrlServiceFacade = require('./url-service-facade');
-const LazyUrlService = require('./lazy-url-service');
 // NOTE: instead of a path we could give UrlService a "data-resolver" of some sort
 //       so it doesn't have to contain the logic to read data at all. This would be
@@ -23,21 +22,7 @@ if (process.env.NODE_ENV.startsWith('test')){
 const cache = new LocalFileCache({storagePath, writeDisabled});
 const urlService = new UrlService({cache});
-// LazyUrlService is only attached to the facade when the lazyRouting flag is
-// on. The eager UrlService stays in the require graph either way so test code
-// and partially-migrated callers continue to work. The model layer is only
-// pulled in when the flag is on so flag-off boot keeps its existing
-// require-graph shape.
-let lazyUrlService = null;
-if (config.get('lazyRouting')) {
-    const models = require('../../models');
-    const {createFindResource} = require('./lazy-find-resource');
-    lazyUrlService = new LazyUrlService({findResource: createFindResource(models)});
-}
-const urlServiceFacade = new UrlServiceFacade({urlService, lazyUrlService});
+const urlServiceFacade = new UrlServiceFacade({urlService});
 // Singleton: default export remains the eager UrlService for backwards
 // compatibility with existing imports. The new facade is exposed alongside

package/core/shared/config/defaults.json CHANGED Viewed

@@ -1,6 +1,5 @@
 {
     "url": "http://localhost:2368",
-    "lazyRouting": false,
     "server": {
         "host": "127.0.0.1",
         "port": 2368,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "ghost",
-  "version": "6.44.0",
+  "version": "6.44.1",
   "description": "The professional publishing platform",
   "author": "Ghost Foundation",
   "homepage": "https://ghost.org",
@@ -268,6 +268,7 @@
     "@types/nodemailer": "6.4.23",
     "@types/on-headers": "1.0.4",
     "@types/papaparse": "5.5.2",
+    "@types/sanitize-html": "2.16.1",
     "@types/sinon": "17.0.4",
     "@types/supertest": "6.0.3",
     "@typescript-eslint/parser": "8.49.0",

package/pnpm-lock.yaml CHANGED Viewed

@@ -605,6 +605,9 @@ importers:
       '@types/papaparse':
         specifier: 5.5.2
         version: 5.5.2
+      '@types/sanitize-html':
+        specifier: 2.16.1
+        version: 2.16.1
       '@types/sinon':
         specifier: 17.0.4
         version: 17.0.4
@@ -3660,6 +3663,9 @@ packages:
   '@types/responselike@1.0.3':
     resolution: {integrity: sha512-H/+L+UkTV33uf49PH5pCAUBVPNj2nDBXTN+qS1dOwyyg24l3CcicicCA7ca+HMvJBZcFgl5r8e+RR6elsb4Lyw==}
+  '@types/sanitize-html@2.16.1':
+    resolution: {integrity: sha512-n9wjs8bCOTyN/ynwD8s/nTcTreIHB1vf31vhLMGqUPNHaweKC4/fAl4Dj+hUlCTKYgm4P3k83fmiFfzkZ6sgMA==}
   '@types/send@0.17.6':
     resolution: {integrity: sha512-Uqt8rPBE8SY0RK8JB1EzVOIZ32uqy8HwdxCnoCOsYrvnswqmFZ/k+9Ikidlk/ImhsdvBsloHbAlewb2IEBV/Og==}
@@ -7125,7 +7131,7 @@ packages:
     hasBin: true
   mock-knex@https://codeload.github.com/TryGhost/mock-knex/tar.gz/68948e11b0ea4fe63456098dfdc169bea7f62009:
-    resolution: {tarball: https://codeload.github.com/TryGhost/mock-knex/tar.gz/68948e11b0ea4fe63456098dfdc169bea7f62009}
+    resolution: {gitHosted: true, integrity: sha512-VVShGrOVsuUDz9ueLO/3hcMzwNGr/e/dvYoiXCJSs7hI8TWdSWsEXDURWp251+NZHEZG/CI+L78lBFv+piGfxg==, tarball: https://codeload.github.com/TryGhost/mock-knex/tar.gz/68948e11b0ea4fe63456098dfdc169bea7f62009}
     version: 0.4.13
     peerDependencies:
       knex: '> 0.8'
@@ -12820,6 +12826,10 @@ snapshots:
     dependencies:
       '@types/node': 22.19.19
+  '@types/sanitize-html@2.16.1':
+    dependencies:
+      htmlparser2: 10.1.0
   '@types/send@0.17.6':
     dependencies:
       '@types/mime': 1.3.5

package/pnpm-workspace.yaml CHANGED Viewed

@@ -41,6 +41,7 @@ catalog:
   '@types/node': 22.19.19
   '@types/react': 18.3.29
   '@types/react-dom': 18.3.7
+  '@types/sanitize-html': 2.16.1
   '@types/validator': 13.15.10
   '@typescript-eslint/eslint-plugin': 8.49.0
   '@typescript-eslint/parser': 8.49.0
@@ -49,6 +50,7 @@ catalog:
   bson-objectid: 2.0.4
   c8: 11.0.0
   chai: 4.5.0
+  chalk: 4.1.2
   clsx: 2.1.1
   concurrently: 10.0.0
   cross-fetch: 4.1.0