npm - javascript-solid-server - Versions diffs - 0.0.70 → 0.0.72 - Mend

javascript-solid-server 0.0.70 → 0.0.72

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (12) hide show

package/.claude/settings.local.json +6 -1
package/SECURITY-AUDIT-2026-01-05.md +382 -0
package/docs/design/nostr-solid-browser-extension.md +1465 -0
package/package.json +1 -1
package/src/auth/middleware.js +12 -5
package/src/auth/solid-oidc.js +50 -1
package/src/handlers/git.js +33 -6
package/src/idp/interactions.js +5 -0
package/src/utils/ssrf.js +9 -4
package/src/utils/url.js +7 -2
package/src/wac/parser.js +3 -2
package/SECURITY-AUDIT-2026-01-15.md +0 -514

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "javascript-solid-server",
-  "version": "0.0.70",
+  "version": "0.0.72",
   "description": "A minimal, fast Solid server",
   "main": "src/index.js",
   "type": "module",

package/src/auth/middleware.js CHANGED Viewed

@@ -9,6 +9,7 @@ import { checkAccess, getRequiredMode } from '../wac/checker.js';
 import { AccessMode } from '../wac/parser.js';
 import * as storage from '../storage/filesystem.js';
 import { getEffectiveUrlPath } from '../utils/url.js';
+import { generateDatabrowserHtml } from '../mashlib/index.js';
 /**
  * Check if request is authorized
@@ -113,6 +114,12 @@ export function handleUnauthorized(request, reply, isAuthenticated, wacAllow, au
   // Check if browser wants HTML
   const accept = request.headers.accept || '';
   if (accept.includes('text/html')) {
+    // If mashlib is enabled, serve mashlib instead of static error page
+    // Mashlib has built-in login functionality via panes.runDataBrowser()
+    if (request.mashlibEnabled) {
+      const cdnVersion = request.mashlibCdn ? request.mashlibVersion : null;
+      return reply.code(statusCode).type('text/html').send(generateDatabrowserHtml(request.url, cdnVersion));
+    }
     return reply.code(statusCode).type('text/html').send(getErrorPage(statusCode, isAuthenticated, request));
   }
@@ -315,12 +322,12 @@ function getErrorPage(statusCode, isAuthenticated, request) {
       <p class="subtitle">${subtitle}</p>
       <div class="actions">
-        <a href="${baseUrl}/" class="btn btn-primary">
+        ${is401 ? `<a href="https://solidos.solidcommunity.net/?uri=${encodeURIComponent(baseUrl + request.url)}" class="btn btn-primary">
+          Open in Data Browser
+        </a>` : ''}
+        <a href="${baseUrl}/" class="btn btn-secondary">
           Go to Homepage
         </a>
-        ${is401 ? `<a href="${baseUrl}/idp/register" class="btn btn-secondary">
-          Create Account
-        </a>` : ''}
       </div>
       <div class="divider"><span>What is this?</span></div>
@@ -330,7 +337,7 @@ function getErrorPage(statusCode, isAuthenticated, request) {
         <p>
           This is a <strong>Solid Pod</strong> — a personal data store where you control your own data.
           Resources can be private, shared with specific people, or public.
-          ${is401 ? "To access protected content, you'll need to sign in using a Solid app (like a data browser) with your WebID." : 'Ask the owner to grant you access.'}
+          ${is401 ? "The Data Browser lets you sign in with your WebID to access protected content." : 'Ask the owner to grant you access.'}
         </p>
       </div>

package/src/auth/solid-oidc.js CHANGED Viewed

@@ -17,6 +17,11 @@ import { validateExternalUrl } from '../utils/ssrf.js';
 const oidcConfigCache = new Map();
 const jwksCache = new Map();
+// Cache for DPoP jti values to prevent replay attacks
+// Stores { jti: timestamp } entries, cleaned periodically
+const dpopJtiCache = new Map();
+const JTI_CACHE_CLEANUP_INTERVAL = 60 * 1000; // Clean every minute
 // Cache TTL (15 minutes)
 const CACHE_TTL = 15 * 60 * 1000;
@@ -36,6 +41,42 @@ export function addTrustedIssuer(issuer) {
 // DPoP proof max age (5 minutes)
 const DPOP_MAX_AGE = 5 * 60;
+/**
+ * Clean expired jti entries from cache
+ * Called periodically to prevent memory growth
+ */
+function cleanupJtiCache() {
+  const now = Math.floor(Date.now() / 1000);
+  const expiredBefore = now - DPOP_MAX_AGE;
+  for (const [jti, timestamp] of dpopJtiCache.entries()) {
+    if (timestamp < expiredBefore) {
+      dpopJtiCache.delete(jti);
+    }
+  }
+}
+// Start periodic cleanup
+setInterval(cleanupJtiCache, JTI_CACHE_CLEANUP_INTERVAL);
+/**
+ * Check if a jti has been used (replay attack prevention)
+ * @param {string} jti - The jti claim from DPoP proof
+ * @returns {boolean} - true if jti was already used
+ */
+function isJtiUsed(jti) {
+  return dpopJtiCache.has(jti);
+}
+/**
+ * Record a jti as used
+ * @param {string} jti - The jti claim from DPoP proof
+ * @param {number} iat - The issued-at timestamp
+ */
+function recordJti(jti, iat) {
+  dpopJtiCache.set(jti, iat);
+}
 /**
  * Verify a Solid-OIDC request and extract WebID
  * @param {object} request - Fastify request object
@@ -175,11 +216,19 @@ async function verifyDpopProof(dpopProof, request, accessToken) {
       return { thumbprint: null, error: 'DPoP proof expired or invalid iat' };
     }
-    // jti: Unique identifier (we should track these to prevent replay, but skip for now)
+    // jti: Unique identifier - track to prevent replay attacks
     if (!payload.jti) {
       return { thumbprint: null, error: 'DPoP proof missing jti' };
     }
+    // Check for replay attack
+    if (isJtiUsed(payload.jti)) {
+      return { thumbprint: null, error: 'DPoP proof jti already used (replay attack prevented)' };
+    }
+    // Record jti to prevent future replay
+    recordJti(payload.jti, payload.iat);
     // ath: Access token hash (optional but recommended)
     if (payload.ath) {
       const expectedAth = await calculateAth(accessToken);

package/src/handlers/git.js CHANGED Viewed

@@ -1,6 +1,7 @@
 import { spawn, execSync } from 'child_process';
 import { existsSync, statSync, mkdirSync, writeFileSync } from 'fs';
 import { join, resolve, dirname } from 'path';
+import { getDataRoot } from '../utils/url.js';
 /**
  * Check if a URL path is a Git protocol request
@@ -23,20 +24,41 @@ export function isGitWriteOperation(urlPath) {
 }
 /**
- * Extract the repository path from the URL
+ * Extract the repository path from the URL with path traversal protection
  * @param {string} urlPath - The URL path
  * @returns {string|null} The repository relative path or null
  */
 function extractRepoPath(urlPath) {
   // Remove git service suffixes to get the repo path
-  const cleanPath = urlPath
+  let cleanPath = urlPath
     .replace(/\/info\/refs.*$/, '')
     .replace(/\/git-upload-pack$/, '')
     .replace(/\/git-receive-pack$/, '');
-  // Remove leading slash, use '.' for root
-  const result = cleanPath.replace(/^\//, '');
-  return result === '' ? '.' : result;
+  // Remove leading slash
+  cleanPath = cleanPath.replace(/^\//, '');
+  // Security: remove path traversal attempts (multiple passes for ....// bypass)
+  let previous;
+  do {
+    previous = cleanPath;
+    cleanPath = cleanPath.replace(/\.\./g, '');
+  } while (cleanPath !== previous);
+  // Use '.' for root/empty path
+  return cleanPath === '' ? '.' : cleanPath;
+}
+/**
+ * Validate that a resolved path is within the data root
+ * @param {string} resolvedPath - Absolute path to validate
+ * @param {string} dataRoot - The data root directory
+ * @returns {boolean} - true if path is safe
+ */
+function isPathWithinDataRoot(resolvedPath, dataRoot) {
+  const normalizedRoot = resolve(dataRoot);
+  const normalizedPath = resolve(resolvedPath);
+  return normalizedPath.startsWith(normalizedRoot + '/') || normalizedPath === normalizedRoot;
 }
 /**
@@ -89,13 +111,18 @@ export async function handleGit(request, reply) {
   }
   // Handle subdomain mode
-  let dataRoot = process.env.DATA_ROOT || './data';
+  let dataRoot = getDataRoot();
   if (request.podName) {
     dataRoot = join(dataRoot, request.podName);
   }
   const repoAbs = resolve(dataRoot, repoRelative);
+  // Security: verify resolved path is within data root (path traversal protection)
+  if (!isPathWithinDataRoot(repoAbs, getDataRoot())) {
+    return reply.code(403).send({ error: 'Path traversal detected' });
+  }
   // Find git directory
   const gitInfo = findGitDir(repoAbs);
   if (!gitInfo) {

package/src/idp/interactions.js CHANGED Viewed

@@ -376,6 +376,11 @@ export async function handleRegisterPost(request, reply, issuer, inviteOnly = fa
     return reply.type('text/html').send(registerPage(uid, 'Username must be at least 3 characters', null, inviteOnly));
   }
+  // Password strength validation
+  if (password.length < 8) {
+    return reply.type('text/html').send(registerPage(uid, 'Password must be at least 8 characters', null, inviteOnly));
+  }
   if (password !== confirmPassword) {
     return reply.type('text/html').send(registerPage(uid, 'Passwords do not match', null, inviteOnly));
   }

package/src/utils/ssrf.js CHANGED Viewed

@@ -123,10 +123,15 @@ export async function validateExternalUrl(urlString, options = {}) {
         }
       }
     } catch (err) {
-      // DNS resolution failed - could be a legitimate issue or attacker trying to bypass
-      // For security, we'll allow it through but log a warning
-      // The fetch will fail anyway if the host doesn't resolve
-      console.warn(`DNS resolution failed for ${hostname}: ${err.message}`);
+      // DNS resolution failed - this could be an attacker attempting to bypass SSRF
+      // protection via DNS manipulation or timing attacks.
+      // Security: block the request rather than allowing it through
+      console.warn(`SSRF protection: DNS resolution failed for ${hostname}: ${err.message}`);
+      return {
+        valid: false,
+        error: `DNS resolution failed for hostname: ${hostname}`,
+        url: null
+      };
     }
   }

package/src/utils/url.js CHANGED Viewed

@@ -65,8 +65,13 @@ export function urlToPathWithPod(urlPath, podName) {
     normalized = normalized.replace(/\.\./g, '');
   } while (normalized !== previous);
-  // Also sanitize podName
-  let safePodName = podName.replace(/\.\./g, '');
+  // Also sanitize podName (multiple passes for ....// bypass)
+  let safePodName = podName;
+  let previousPod;
+  do {
+    previousPod = safePodName;
+    safePodName = safePodName.replace(/\.\./g, '');
+  } while (safePodName !== previousPod);
   // Resolve to absolute path and verify it's within DATA_ROOT
   const dataRoot = path.resolve(getDataRoot());

package/src/wac/parser.js CHANGED Viewed

@@ -4,6 +4,7 @@
  */
 import { turtleToJsonLd } from '../rdf/turtle.js';
+import { safeJsonParse } from '../utils/url.js';
 const ACL = 'http://www.w3.org/ns/auth/acl#';
 const FOAF = 'http://xmlns.com/foaf/0.1/';
@@ -35,9 +36,9 @@ export async function parseAcl(content, aclUrl) {
   if (typeof content === 'object' && content !== null) {
     doc = content;
   } else if (typeof content === 'string') {
-    // Try JSON-LD first
+    // Try JSON-LD first (with size limit for DoS protection)
     try {
-      doc = JSON.parse(content);
+      doc = safeJsonParse(content);
     } catch {
       // Not JSON, try Turtle
       try {