npm - javascript-solid-server - Versions diffs - 0.0.165 → 0.0.167 - Mend

javascript-solid-server 0.0.165 → 0.0.167

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/.claude/settings.local.json +2 -1
package/package.json +1 -1
package/src/ldp/container.js +29 -1
package/src/utils/url.js +7 -4
package/test/container.test.js +93 -0
package/test/url.test.js +56 -2

package/.claude/settings.local.json CHANGED Viewed

@@ -378,7 +378,8 @@
       "Bash(terser losos/html.js -m -c)",
       "Bash(terser losos/store.js -m -c)",
       "Bash(terser losos/registry.js -m -c)",
-      "Bash(terser losos/losos.js -m -c)"
+      "Bash(terser losos/losos.js -m -c)",
+      "Bash(DATA_ROOT=/tmp/whatever node --test test/url.test.js)"
     ]
   }
 }

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.165",
+  "version": "0.0.167",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/ldp/container.js CHANGED Viewed

@@ -4,6 +4,34 @@
 const LDP = 'http://www.w3.org/ns/ldp#';
+// Dotfiles allowed to appear in ldp:contains. Anything else starting with '.'
+// is server-internal state and must not leak into container listings — even
+// when direct GETs are 403'd by the routing-layer dotfile guard in server.js
+// (which rejects non-allowlisted dotpaths before WAC even runs), listing the
+// *name* still leaks existence and gives attackers free path-fingerprinting
+// (#350).
+//
+// `.well-known` is allowed because JSS exposes legitimate public resources
+// there (e.g. the webledger registry at /.well-known/webledgers/...). At the
+// origin root — including each pod's own origin in subdomain mode — server.js
+// bypasses auth for `/.well-known/*` per RFC 8615. For path-based pods at
+// `/pod/.well-known/`, the bypass does *not* apply (it matches root-relative
+// paths only) — that case is a regular subdirectory governed by ordinary WAC,
+// and listing the name is fine. We allow `.well-known` uniformly here so the
+// subdomain-pod and root-pod cases work without conditional logic on the
+// container path.
+//
+// Internal state that JSS currently persists under `.well-known/` (token
+// store, pay state) shouldn't be in a public namespace at all; tracked at
+// #358.
+//
+// `.acl` and `.meta` are canonical Solid per-resource sidecars.
+const ALLOWED_DOTFILES = new Set(['.acl', '.meta', '.well-known']);
+function isHiddenEntry(name) {
+  return name.startsWith('.') && !ALLOWED_DOTFILES.has(name);
+}
 /**
  * Generate JSON-LD representation of a container
  * @param {string} containerUrl - Full URL of the container
@@ -14,7 +42,7 @@ export function generateContainerJsonLd(containerUrl, entries) {
   // Ensure container URL ends with /
   const baseUrl = containerUrl.endsWith('/') ? containerUrl : containerUrl + '/';
-  const contains = entries.map(entry => {
+  const contains = entries.filter(entry => !isHiddenEntry(entry.name)).map(entry => {
     const childUrl = baseUrl + entry.name + (entry.isDirectory ? '/' : '');
     const item = {
       '@id': childUrl,

package/src/utils/url.js CHANGED Viewed

@@ -22,8 +22,11 @@ export function updateDataRoot() {
  * @throws {Error} - If path traversal is detected
  */
 export function urlToPath(urlPath) {
-  // Normalize: remove leading slash, decode URI
-  let normalized = urlPath.startsWith('/') ? urlPath.slice(1) : urlPath;
+  // Normalize: strip all leading slashes (#131 — `//foo` from bot probes
+  // would otherwise leave `/foo`, and path.resolve(root, '/foo') would
+  // treat the second arg as absolute, escape dataRoot, and trip the
+  // traversal guard with a 500 instead of resolving cleanly to a 404).
+  let normalized = urlPath.replace(/^\/+/, '');
   normalized = decodeURIComponent(normalized);
   // Security: remove path traversal attempts (multiple passes for ....// bypass)
@@ -54,8 +57,8 @@ export function urlToPath(urlPath) {
  * @throws {Error} - If path traversal is detected
  */
 export function urlToPathWithPod(urlPath, podName) {
-  // Normalize: remove leading slash, decode URI
-  let normalized = urlPath.startsWith('/') ? urlPath.slice(1) : urlPath;
+  // Normalize: strip all leading slashes (#131 — see urlToPath for context).
+  let normalized = urlPath.replace(/^\/+/, '');
   normalized = decodeURIComponent(normalized);
   // Security: remove path traversal attempts (multiple passes for ....// bypass)

package/test/container.test.js ADDED Viewed

@@ -0,0 +1,93 @@
+/**
+ * Container listing generator — dotfile-allowlist regression (#350)
+ *
+ * Server-internal sidecars (.idp/, .quota.json, .server/, future .git/, etc.)
+ * must NOT appear in ldp:contains, even though direct GETs are 403'd by the
+ * routing-layer dotfile guard in server.js (which rejects non-allowlisted
+ * dotpaths before WAC runs). Listing the names still leaks existence and
+ * gives attackers free path-fingerprinting against root-pod (--single-user)
+ * deployments.
+ */
+import { describe, it } from 'node:test';
+import assert from 'node:assert';
+import { generateContainerJsonLd } from '../src/ldp/container.js';
+describe('generateContainerJsonLd dotfile filtering (#350)', () => {
+  it('emits regular entries unchanged', () => {
+    const out = generateContainerJsonLd('https://example.com/pod/', [
+      { name: 'public', isDirectory: true },
+      { name: 'index.html', isDirectory: false },
+    ]);
+    const ids = out.contains.map(c => c['@id']);
+    assert.deepStrictEqual(ids, [
+      'https://example.com/pod/public/',
+      'https://example.com/pod/index.html',
+    ]);
+  });
+  it('keeps allowed Solid resources (.acl, .meta, .well-known)', () => {
+    // .well-known stays — JSS serves legitimate public resources there
+    // (e.g. webledger). At origin-root (including each pod's origin in
+    // subdomain mode) the routing layer bypasses auth per RFC 8615; for
+    // path-based pods at /pod/.well-known/ the bypass doesn't apply but
+    // listing the name is still fine (regular subdirectory under WAC).
+    const out = generateContainerJsonLd('https://example.com/pod/', [
+      { name: '.acl', isDirectory: false },
+      { name: '.meta', isDirectory: false },
+      { name: '.well-known', isDirectory: true },
+    ]);
+    const ids = out.contains.map(c => c['@id']);
+    assert.ok(ids.includes('https://example.com/pod/.acl'));
+    assert.ok(ids.includes('https://example.com/pod/.meta'));
+    assert.ok(ids.includes('https://example.com/pod/.well-known/'));
+  });
+  it('hides server-internal sidecars (.idp/, .quota.json, .server/)', () => {
+    const out = generateContainerJsonLd('https://example.com/', [
+      { name: '.idp', isDirectory: true },
+      { name: '.quota.json', isDirectory: false },
+      { name: '.server', isDirectory: true },
+    ]);
+    assert.deepStrictEqual(out.contains, []);
+  });
+  it('hides server control endpoints — listing allowlist is intentionally narrower than server.js routing allowlist', () => {
+    // .pods, .notifications, .account are routed to handlers in server.js
+    // (the broader 6-entry routing allowlist) but they're NOT public
+    // linked-data resources that belong in ldp:contains. Pinning this
+    // explicitly so that adding any of these to ALLOWED_DOTFILES would
+    // fail the suite — see PR #357 review comment.
+    const out = generateContainerJsonLd('https://example.com/', [
+      { name: '.pods', isDirectory: true },
+      { name: '.notifications', isDirectory: true },
+      { name: '.account', isDirectory: false },
+    ]);
+    assert.deepStrictEqual(out.contains, []);
+  });
+  it('hides any unknown dotfile (default-deny on .git, .env, .DS_Store, etc.)', () => {
+    const out = generateContainerJsonLd('https://example.com/pod/', [
+      { name: '.git', isDirectory: true },
+      { name: '.env', isDirectory: false },
+      { name: '.DS_Store', isDirectory: false },
+    ]);
+    assert.deepStrictEqual(out.contains, []);
+  });
+  it('keeps regular entries when mixed with hidden ones', () => {
+    const out = generateContainerJsonLd('https://example.com/', [
+      { name: '.acl', isDirectory: false },
+      { name: '.idp', isDirectory: true },
+      { name: '.quota.json', isDirectory: false },
+      { name: 'public', isDirectory: true },
+      { name: 'profile', isDirectory: true },
+    ]);
+    const ids = out.contains.map(c => c['@id']);
+    assert.deepStrictEqual(ids, [
+      'https://example.com/.acl',
+      'https://example.com/public/',
+      'https://example.com/profile/',
+    ]);
+  });
+});

package/test/url.test.js CHANGED Viewed

@@ -5,9 +5,10 @@
  * Regression guard for #278 (single-user root-pod PUT → ENOTDIR).
  */
-import { describe, it } from 'node:test';
+import { describe, it, before, after } from 'node:test';
 import assert from 'node:assert';
-import { getPodName, getContentType } from '../src/utils/url.js';
+import path from 'path';
+import { getPodName, getContentType, urlToPath, urlToPathWithPod } from '../src/utils/url.js';
 describe('getPodName', () => {
   describe('subdomain mode', () => {
@@ -126,3 +127,56 @@ describe('getContentType', () => {
     });
   });
 });
+describe('urlToPath / urlToPathWithPod (#131 — leading-slash normalization)', () => {
+  // Bot probes hammer JSS with `//foo`, `///wp-admin/...`, etc. Without
+  // multi-slash stripping these used to escape dataRoot via path.resolve
+  // (which treats `/foo` as absolute) and 500 with "Path traversal detected"
+  // instead of the expected 404.
+  // Save/restore DATA_ROOT — other test suites mutate process.env.DATA_ROOT
+  // (via createServer's root option) and don't always restore it. Pinning
+  // to './data' keeps the assertions stable across run order.
+  let originalDataRoot;
+  before(() => {
+    originalDataRoot = process.env.DATA_ROOT;
+    delete process.env.DATA_ROOT;  // forces getDataRoot() default of './data'
+  });
+  after(() => {
+    if (originalDataRoot === undefined) delete process.env.DATA_ROOT;
+    else process.env.DATA_ROOT = originalDataRoot;
+  });
+  const dataRoot = path.resolve('./data');
+  describe('urlToPath', () => {
+    it('resolves a normal path inside dataRoot', () => {
+      assert.strictEqual(urlToPath('/alice/profile/card'), path.join(dataRoot, 'alice/profile/card'));
+    });
+    it('handles double leading slash without throwing (#131)', () => {
+      assert.strictEqual(urlToPath('//about.php'), path.join(dataRoot, 'about.php'));
+    });
+    it('handles many leading slashes (#131)', () => {
+      assert.strictEqual(urlToPath('////wp-admin/index.php'), path.join(dataRoot, 'wp-admin/index.php'));
+    });
+    it('still rejects real `..` traversal that escapes after normalization', () => {
+      // Security must be preserved: `/../etc/passwd` → strip leading slash →
+      // `../etc/passwd` → strip `..` → `/etc/passwd` (absolute residue) →
+      // path.resolve escapes dataRoot → guard fires.
+      assert.throws(() => urlToPath('/../etc/passwd'), /Path traversal/);
+    });
+  });
+  describe('urlToPathWithPod', () => {
+    it('resolves into the pod dir', () => {
+      assert.strictEqual(urlToPathWithPod('/profile/card', 'alice'), path.join(dataRoot, 'alice/profile/card'));
+    });
+    it('handles double leading slash (#131)', () => {
+      assert.strictEqual(urlToPathWithPod('//about.php', 'alice'), path.join(dataRoot, 'alice/about.php'));
+    });
+  });
+});