solid-server 5.7.7 → 5.7.8

package/.github/workflows/ci.yml

@@ -17,7 +17,7 @@ jobs:
 
     strategy:
       matrix:
-        node-version: [12.x, 14.x, 16.x]
+        node-version: [16.x, 18.x]
         os: [ubuntu-latest]
 
     steps:
@@ -97,4 +97,4 @@ jobs:
           build-args: SOLID_SERVER_VERSION=${{ steps.tagName.outputs.version }}
           push: true
           tags: ${{ steps.meta.outputs.tags }}
-          labels: ${{ steps.meta.outputs.labels }}
+          labels: ${{ steps.meta.outputs.labels }}

package/README.md

@@ -9,6 +9,8 @@
 
 `solid-server` lets you run a Solid server on top of the file-system. You can use it as a [command-line tool](https://github.com/solid/node-solid-server/blob/master/README.md#command-line-usage) (easy) or as a [library](https://github.com/solid/node-solid-server/blob/master/README.md#library-usage) (advanced).
 
+The [solid test suite](https://github.com/nodeSolidServer/node-solid-server/blob/main/test/surface/run-solid-test-suite.sh) runs as part of GitHub Actions on this repository, ensuring that this server is always (to the best of our knowledge) fully spec compliant.
+
 ## Solid Features supported
 - [x] [Linked Data Platform](http://www.w3.org/TR/ldp/)
 - [x] [Web Access Control](http://www.w3.org/wiki/WebAccessControl)

package/lib/acl-checker.js

@@ -28,7 +28,14 @@ class ACLChecker {
   constructor (resource, options = {}) {
     this.resource = resource
     this.resourceUrl = new URL(resource)
-    this.agentOrigin = options.strictOrigin && options.agentOrigin ? rdf.sym(options.agentOrigin) : null
+    this.agentOrigin = null
+    try {
+      if (options.strictOrigin && options.agentOrigin) {
+        this.agentOrigin = rdf.sym(options.agentOrigin)
+      }
+    } catch (e) {
+      // noop
+    }
     this.fetch = options.fetch
     this.fetchGraph = options.fetchGraph
     this.trustedOrigins = options.strictOrigin && options.trustedOrigins ? options.trustedOrigins.map(trustedOrigin => rdf.sym(trustedOrigin)) : null

package/lib/handlers/allow.js

@@ -72,9 +72,10 @@ function allow (mode) {
       }
     }
 
-    // check user is owner. Find owner from /.meta
-    if (resourceUrl.endsWith('.acl') && userId === await ldp.getOwner(req.hostname)) return next()
-
+    // check if user is owner. Check isOwner from /.meta
+    try {
+      if (resourceUrl.endsWith('.acl') && (await ldp.isOwner(userId, req.hostname))) return next()
+    } catch (err) {}
     const error = req.authError || await req.acl.getError(userId, mode)
     debug(`${mode} access denied to ${userId || '(none)'}: ${error.status} - ${error.message}`)
     next(error)

package/lib/handlers/patch.js

@@ -143,8 +143,6 @@ async function checkPermission (request, patchObject, resourceExists) {
   // Now that we know the details of the patch,
   // we might need to perform additional checks.
   let modes = []
-  // acl:default Write is required for create
-  if (!resourceExists) modes = ['Write']
   const { acl, session: { userId } } = request
   // Read access is required for DELETE and WHERE.
   // If we would allows users without read access,
@@ -164,7 +162,7 @@ async function checkPermission (request, patchObject, resourceExists) {
   if (!allAllowed) {
     // check owner with Control
     const ldp = request.app.locals.ldp
-    if (request.path.endsWith('.acl') && userId === await ldp.getOwner(request.hostname)) return Promise.resolve(patchObject)
+    if (request.path.endsWith('.acl') && await ldp.isOwner(userId, request.hostname)) return Promise.resolve(patchObject)
 
     const errors = await Promise.all(modes.map(mode => acl.getError(userId, mode)))
     const error = errors.filter(error => !!error)

package/lib/header.js

@@ -128,7 +128,7 @@ async function addPermissions (req, res, next) {
     getPermissionsFor(acl, null, req),
     getPermissionsFor(acl, session.userId, req)
   ])
-  if (resource.endsWith('.acl') && userPerms === '' && session.userId === await ldp.getOwner(req.hostname)) userPerms = 'control'
+  if (resource.endsWith('.acl') && userPerms === '' && await ldp.isOwner(session.userId, req.hostname)) userPerms = 'control'
   debug.ACL(`Permissions on ${resource} for ${session.userId || '(none)'}: ${userPerms}`)
   debug.ACL(`Permissions on ${resource} for public: ${publicPerms}`)
   res.set('WAC-Allow', `user="${userPerms}",public="${publicPerms}"`)

package/lib/ldp.js

@@ -243,7 +243,14 @@ class LDP {
         'PUT request requires a content-type via the Content-Type header')
     }
 
+    // reject resource with percent-encoded $ extension
+    const dollarExtensionRegex = /%(?:24)\.[^%(?:24)]*$/ // /\$\.[^$]*$/
+    if ((url.url || url).match(dollarExtensionRegex)) {
+      throw error(400, 'Resource with a $.ext is not allowed by the server')
+    }
+
     // check if a folder or file with same name exists
+    // const urlItem = url.url || url
     await this.checkItemName(url)
 
     // First check if we are above quota
@@ -350,17 +357,27 @@ class LDP {
 
   async checkItemName (url) {
     let testName
-    const itemUrl = (url.url || url)
+    const { hostname, pathname } = this.resourceMapper._parseUrl(url) // (url.url || url)
+    let itemUrl = this.resourceMapper.resolveUrl(hostname, pathname)
     const container = itemUrl.endsWith('/')
     try {
       const testUrl = container ? itemUrl.slice(0, -1) : itemUrl + '/'
       const { path: testPath } = await this.resourceMapper.mapUrlToFile({ url: testUrl })
-      // testName = fs.lstatSync(testPath).isDirectory()
       testName = container ? fs.lstatSync(testPath).isFile() : fs.lstatSync(testPath).isDirectory()
-    } catch (err) { testName = false }
-
+    } catch (err) {
+      testName = false
+
+      // item does not exist, check one level up the tree
+      if (itemUrl.endsWith('/')) itemUrl = itemUrl.substring(0, itemUrl.length - 1)
+      itemUrl = itemUrl.substring(0, itemUrl.lastIndexOf('/') + 1)
+      const { pathname } = this.resourceMapper._parseUrl(itemUrl) // (url.url || url)
+      // check not at root
+      if (pathname !== '/') {
+        await this.checkItemName(itemUrl)
+      }
+    }
     if (testName) {
-      throw error(200, 'Container and resource cannot have the same name in URI')
+      throw error(404, 'Container and resource cannot have the same name in URI')
     }
   }
 
@@ -437,7 +454,7 @@ class LDP {
   // this is a hack to replace solid:owner, using solid:account in /.meta to avoid NSS migration
   // this /.meta has no functionality in actual NSS
   // comment https://github.com/solid/node-solid-server/pull/1604#discussion_r652903546
-  async getOwner (hostname) {
+  async isOwner (webId, hostname) {
     // const ldp = req.app.locals.ldp
     const rootUrl = this.resourceMapper.resolveUrl(hostname)
     let graph
@@ -445,8 +462,8 @@ class LDP {
       // TODO check for permission ?? Owner is a MUST
       graph = await this.getGraph(rootUrl + '/.meta')
       const SOLID = $rdf.Namespace('http://www.w3.org/ns/solid/terms#')
-      const owner = await graph.any(null, SOLID('account'), $rdf.sym(rootUrl + '/'))
-      return owner.uri
+      const owner = await graph.statementsMatching($rdf.sym(webId), SOLID('account'), $rdf.sym(rootUrl + '/'))
+      return owner.length
     } catch (error) {
       throw new Error(`Failed to get owner from ${rootUrl}/.meta, got ` + error)
     }

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "solid-server",
   "description": "Solid server on top of the file-system",
-  "version": "5.7.7",
+  "version": "5.7.8",
   "author": {
     "name": "Tim Berners-Lee",
     "email": "timbl@w3.org"
@@ -69,7 +69,7 @@
     "cached-path-relative": "^1.1.0",
     "camelize": "^1.0.1",
     "cheerio": "^1.0.0-rc.12",
-    "colorette": "^2.0.19",
+    "colorette": "^2.0.20",
     "commander": "^8.3.0",
     "cors": "^2.8.5",
     "debug": "^4.3.4",
@@ -82,27 +82,27 @@
     "get-folder-size": "^2.0.1",
     "glob": "^7.2.3",
     "global-tunnel-ng": "^2.7.1",
-    "handlebars": "^4.7.7",
+    "handlebars": "^4.7.8",
     "http-proxy-middleware": "^2.0.6",
-    "inquirer": "^8.2.5",
+    "inquirer": "^8.2.6",
     "into-stream": "^6.0.0",
     "ip-range-check": "0.2.0",
     "is-ip": "^3.1.0",
     "li": "^1.3.0",
-    "mashlib": "^1.8.8",
+    "mashlib": "^1.8.9",
     "mime-types": "^2.1.35",
     "negotiator": "^0.6.3",
-    "node-fetch": "^2.6.9",
+    "node-fetch": "^2.7.0",
     "node-forge": "^1.3.1",
     "node-mailer": "^0.1.1",
-    "nodemailer": "^6.9.1",
+    "nodemailer": "^6.9.7",
     "oidc-op-express": "^0.0.3",
     "owasp-password-strength-test": "^1.3.0",
     "recursive-readdir": "^2.2.3",
     "request": "^2.88.2",
     "rimraf": "^3.0.2",
     "solid-auth-client": "^2.5.6",
-    "solid-namespace": "^0.5.2",
+    "solid-namespace": "^0.5.3",
     "solid-ws": "^0.4.3",
     "text-encoder-lite": "^2.0.0",
     "the-big-username-blacklist": "^1.5.2",
@@ -110,26 +110,26 @@
     "urijs": "^1.19.11",
     "uuid": "^8.3.2",
     "valid-url": "^1.0.9",
-    "validator": "^13.9.0",
+    "validator": "^13.11.0",
     "vhost": "^3.0.2"
   },
   "devDependencies": {
-    "@solid/solid-auth-oidc": "^0.3.0",
-    "chai": "^4.3.7",
+    "@solid/solid-auth-oidc": "0.3.0",
+    "chai": "^4.3.10",
     "chai-as-promised": "7.1.1",
     "cross-env": "7.0.3",
     "dirty-chai": "2.0.1",
     "eslint": "^7.32.0",
     "localstorage-memory": "1.0.3",
     "mocha": "^9.2.2",
-    "nock": "^13.3.0",
-    "node-mocks-http": "^1.12.2",
+    "nock": "^13.4.0",
+    "node-mocks-http": "^1.14.0",
     "nyc": "15.1.0",
     "pre-commit": "1.2.2",
     "randombytes": "2.1.0",
     "sinon": "12.0.1",
     "sinon-chai": "3.7.0",
-    "snyk": "^1.1119.0",
+    "snyk": "^1.1264.0",
     "standard": "16.0.4",
     "supertest": "^6.3.3",
     "turtle-validator": "1.1.1",