solid-server 5.7.9 → 5.7.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/.nvmrc +1 -1
- package/default-views/auth/reset-link-sent.hbs +1 -1
- package/lib/ldp.js +29 -7
- package/lib/models/account-manager.js +1 -1
- package/lib/requests/create-account-request.js +1 -1
- package/lib/requests/password-reset-email-request.js +6 -3
- package/lib/requests/sharing-request.js +3 -1
- package/package.json +3 -2
package/.nvmrc
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
|
|
1
|
+
v18.19.0
|
package/lib/ldp.js
CHANGED
|
@@ -145,18 +145,26 @@ class LDP {
|
|
|
145
145
|
|
|
146
146
|
const ldp = this
|
|
147
147
|
debug.handlers('POST -- On parent: ' + containerPath)
|
|
148
|
-
|
|
148
|
+
if (container) {
|
|
149
|
+
// Containers should not receive an extension
|
|
150
|
+
extension = ''
|
|
151
|
+
}
|
|
152
|
+
// pepare slug
|
|
149
153
|
if (slug) {
|
|
150
|
-
if (this.isAuxResource(slug, extension)) throw error(403, 'POST is not allowed for auxiliary resources')
|
|
151
154
|
slug = decodeURIComponent(slug)
|
|
155
|
+
|
|
156
|
+
if (container) {
|
|
157
|
+
// the name of a container cannot be a valid auxiliary resource document
|
|
158
|
+
while (this._containsInvalidSuffixes(slug + '/')) {
|
|
159
|
+
const idx = slug.lastIndexOf('.')
|
|
160
|
+
slug = slug.substr(0, idx)
|
|
161
|
+
}
|
|
162
|
+
} else if (this.isAuxResource(slug, extension)) throw error(403, 'POST to auxiliary resources is not allowed')
|
|
163
|
+
|
|
152
164
|
if (slug.match(/\/|\||:/)) {
|
|
153
|
-
throw error(400, 'The name of new file
|
|
165
|
+
throw error(400, 'The name of a POSTed new file may not contain ":" (colon), "|" (pipe), or "/" (slash)')
|
|
154
166
|
}
|
|
155
167
|
}
|
|
156
|
-
// Containers should not receive an extension
|
|
157
|
-
if (container) {
|
|
158
|
-
extension = ''
|
|
159
|
-
}
|
|
160
168
|
|
|
161
169
|
// always return a valid URL.
|
|
162
170
|
const resourceUrl = await ldp.getAvailableUrl(hostname, containerPath, { slug, extension, container })
|
|
@@ -327,11 +335,25 @@ class LDP {
|
|
|
327
335
|
} catch (err) { }
|
|
328
336
|
}
|
|
329
337
|
|
|
338
|
+
/**
|
|
339
|
+
* This function is used to make sure a resource or container which contains
|
|
340
|
+
* reserved suffixes for auxiliary documents cannot be created.
|
|
341
|
+
* @param {string} path - the uri to check for invalid suffixes
|
|
342
|
+
* @returns {boolean} true is fail - if the path contains reserved suffixes
|
|
343
|
+
*/
|
|
344
|
+
_containsInvalidSuffixes (path) {
|
|
345
|
+
return AUXILIARY_RESOURCES.some(suffix => path.endsWith(suffix + '/'))
|
|
346
|
+
}
|
|
347
|
+
|
|
330
348
|
// check whether a document (or container) has the same name as another document (or container)
|
|
331
349
|
async checkItemName (url) {
|
|
332
350
|
let testName, testPath
|
|
333
351
|
const { hostname, pathname } = this.resourceMapper._parseUrl(url) // (url.url || url)
|
|
334
352
|
let itemUrl = this.resourceMapper.resolveUrl(hostname, pathname)
|
|
353
|
+
// make sure the resource being created does not attempt invalid resource creation
|
|
354
|
+
if (this._containsInvalidSuffixes(itemUrl)) {
|
|
355
|
+
throw error(400, `${itemUrl} contained reserved suffixes in path`)
|
|
356
|
+
}
|
|
335
357
|
const container = itemUrl.endsWith('/')
|
|
336
358
|
try {
|
|
337
359
|
const testUrl = container ? itemUrl.slice(0, -1) : itemUrl + '/'
|
|
@@ -178,7 +178,7 @@ class CreateAccountRequest extends AuthRequest {
|
|
|
178
178
|
.then(exists => {
|
|
179
179
|
if (exists) {
|
|
180
180
|
debug(`Canceling account creation, ${userAccount.webId} already exists`)
|
|
181
|
-
const error = new Error('Account
|
|
181
|
+
const error = new Error('Account creation failed')
|
|
182
182
|
error.status = 400
|
|
183
183
|
throw error
|
|
184
184
|
}
|
|
@@ -94,7 +94,7 @@ class PasswordResetEmailRequest extends AuthRequest {
|
|
|
94
94
|
.then(() => request.validate())
|
|
95
95
|
.then(() => request.loadUser())
|
|
96
96
|
.then(userAccount => request.sendResetLink(userAccount))
|
|
97
|
-
.then(() => request.
|
|
97
|
+
.then(() => request.resetLinkMessage())
|
|
98
98
|
.catch(error => request.error(error))
|
|
99
99
|
}
|
|
100
100
|
|
|
@@ -123,7 +123,10 @@ class PasswordResetEmailRequest extends AuthRequest {
|
|
|
123
123
|
return this.accountManager.accountExists(username)
|
|
124
124
|
.then(exists => {
|
|
125
125
|
if (!exists) {
|
|
126
|
-
|
|
126
|
+
// For security reasons, avoid leaking error information
|
|
127
|
+
// See: https://github.com/nodeSolidServer/node-solid-server/issues/1770
|
|
128
|
+
this.accountManager.verifyEmailDependencies()
|
|
129
|
+
return this.resetLinkMessage()
|
|
127
130
|
}
|
|
128
131
|
|
|
129
132
|
const userData = { username }
|
|
@@ -191,7 +194,7 @@ class PasswordResetEmailRequest extends AuthRequest {
|
|
|
191
194
|
/**
|
|
192
195
|
* Displays the 'your reset link has been sent' success message view
|
|
193
196
|
*/
|
|
194
|
-
|
|
197
|
+
resetLinkMessage () {
|
|
195
198
|
this.response.render('auth/reset-link-sent')
|
|
196
199
|
}
|
|
197
200
|
}
|
|
@@ -64,10 +64,11 @@ class SharingRequest extends AuthRequest {
|
|
|
64
64
|
* @param req {IncomingRequest}
|
|
65
65
|
* @param res {ServerResponse}
|
|
66
66
|
*/
|
|
67
|
-
static async get (req, res) {
|
|
67
|
+
static async get (req, res, next) {
|
|
68
68
|
const request = SharingRequest.fromParams(req, res)
|
|
69
69
|
|
|
70
70
|
const appUrl = request.getAppUrl()
|
|
71
|
+
if (!appUrl) return next()
|
|
71
72
|
const appOrigin = appUrl.origin
|
|
72
73
|
const serverUrl = new url.URL(req.app.locals.ldp.serverUri)
|
|
73
74
|
|
|
@@ -153,6 +154,7 @@ class SharingRequest extends AuthRequest {
|
|
|
153
154
|
}
|
|
154
155
|
|
|
155
156
|
getAppUrl () {
|
|
157
|
+
if (!this.authQueryParams.redirect_uri) return
|
|
156
158
|
return new url.URL(this.authQueryParams.redirect_uri)
|
|
157
159
|
}
|
|
158
160
|
|
package/package.json
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "solid-server",
|
|
3
3
|
"description": "Solid server on top of the file-system",
|
|
4
|
-
"version": "5.7.
|
|
4
|
+
"version": "5.7.10",
|
|
5
5
|
"author": {
|
|
6
6
|
"name": "Tim Berners-Lee",
|
|
7
7
|
"email": "timbl@w3.org"
|
|
@@ -89,7 +89,7 @@
|
|
|
89
89
|
"ip-range-check": "0.2.0",
|
|
90
90
|
"is-ip": "^3.1.0",
|
|
91
91
|
"li": "^1.3.0",
|
|
92
|
-
"mashlib": "^1.8.
|
|
92
|
+
"mashlib": "^1.8.10",
|
|
93
93
|
"mime-types": "^2.1.35",
|
|
94
94
|
"negotiator": "^0.6.3",
|
|
95
95
|
"node-fetch": "^2.7.0",
|
|
@@ -146,6 +146,7 @@
|
|
|
146
146
|
"validate": "node ./test/validate-turtle.js",
|
|
147
147
|
"nyc": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 nyc --reporter=text-summary mocha --recursive test/integration/ test/unit/",
|
|
148
148
|
"mocha": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/ test/unit/",
|
|
149
|
+
"mocha-integration": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/http-test.js",
|
|
149
150
|
"prepublishOnly": "npm test",
|
|
150
151
|
"postpublish": "git push --follow-tags",
|
|
151
152
|
"test": "npm run standard && npm run validate && npm run nyc",
|