solid-server 5.7.9 → 5.7.11

package/.nvmrc

@@ -1 +1 @@
-16.14.0
+v18.19.0

package/common/js/index-buttons.js

@@ -30,7 +30,7 @@ document.addEventListener('DOMContentLoaded', async function() {
         //     HIDE LOGIN BUTTON, ADD REGISTER BUTTON
         else {
         let loginArea = document.getElementById('loginStatusArea');
-        let html = `<input type="button" onclick="window.location.href='/register'" value="Register to get a Pod" class="register-button">`
+        let html = `<input type="button" onclick="window.location.href='/register'" value="Register to get a Pod" class="register-button" style="padding: 1em; border-radius:0.2em; font-size: 100%;margin: 0.75em 0 0.75em 0.5em !important; padding: 0.5em !important;background-color: #efe;">`
         let span = document.createElement("span")
         span.innerHTML = html
         loginArea.appendChild(span);
@@ -41,4 +41,4 @@ document.addEventListener('DOMContentLoaded', async function() {
         signUpButton.style.display = "none";
         }                    
     }
-})
+})

package/default-views/auth/reset-link-sent.hbs

@@ -14,7 +14,7 @@
   </div>
 
   <div class="alert alert-success">
-    <p>A Reset Password link has been sent to your email.</p>
+    <p>A Reset Password link has been sent to the associated email account.</p>
   </div>
 </div>
 </body>

package/lib/ldp.js

@@ -103,7 +103,6 @@ class LDP {
 
   async listContainer (container, reqUri, containerData, hostname) {
     const resourceGraph = $rdf.graph()
-
     try {
       $rdf.parse(containerData, resourceGraph, reqUri, 'text/turtle')
     } catch (err) {
@@ -145,18 +144,26 @@ class LDP {
 
     const ldp = this
     debug.handlers('POST -- On parent: ' + containerPath)
-    // prepare slug
+    if (container) {
+      // Containers should not receive an extension
+      extension = ''
+    }
+    // pepare slug
     if (slug) {
-      if (this.isAuxResource(slug, extension)) throw error(403, 'POST is not allowed for auxiliary resources')
       slug = decodeURIComponent(slug)
+
+      if (container) {
+        // the name of a container cannot be a valid auxiliary resource document
+        while (this._containsInvalidSuffixes(slug + '/')) {
+          const idx = slug.lastIndexOf('.')
+          slug = slug.substr(0, idx)
+        }
+      } else if (this.isAuxResource(slug, extension)) throw error(403, 'POST to auxiliary resources is not allowed')
+
       if (slug.match(/\/|\||:/)) {
-        throw error(400, 'The name of new file POSTed may not contain : | or /')
+        throw error(400, 'The name of a POSTed new file may not contain ":" (colon), "|" (pipe), or "/" (slash)')
       }
     }
-    // Containers should not receive an extension
-    if (container) {
-      extension = ''
-    }
 
     // always return a valid URL.
     const resourceUrl = await ldp.getAvailableUrl(hostname, containerPath, { slug, extension, container })
@@ -212,19 +219,16 @@ class LDP {
 
   async put (url, stream, contentType) {
     const container = (url.url || url).endsWith('/')
-
     // PUT without content type is forbidden, unless PUTting container
     if (!contentType && !container) {
       throw error(400,
         'PUT request requires a content-type via the Content-Type header')
     }
-
     // reject resource with percent-encoded $ extension
     const dollarExtensionRegex = /%(?:24)\.[^%(?:24)]*$/ // /\$\.[^$]*$/
     if ((url.url || url).match(dollarExtensionRegex)) {
       throw error(400, 'Resource with a $.ext is not allowed by the server')
     }
-
     // First check if we are above quota
     let isOverQuota
     // Someone had a reason to make url actually a req sometimes but not
@@ -238,7 +242,6 @@ class LDP {
     if (isOverQuota) {
       throw error(413, 'User has exceeded their storage quota')
     }
-
     // Set url using folder/.meta. This is Hack to find folder path
     if (container) {
       if (typeof url !== 'string') {
@@ -248,22 +251,18 @@ class LDP {
       }
       contentType = 'text/turtle'
     }
-
     const { path } = await this.resourceMapper.mapUrlToFile({ url, contentType, createIfNotExists: true })
     // debug.handlers(container + ' item ' + (url.url || url) + ' ' + contentType + ' ' + path)
     // check if file exists, and in that case that it has the same extension
     if (!container) { await this.checkFileExtension(url, path) }
-
     // Create the enclosing directory, if necessary, do not create pubsub if PUT create container
     await this.createDirectory(path, hostname, !container)
-
     // clear cache
     if (path.endsWith(this.suffixAcl)) {
       const { url: aclUrl } = await this.resourceMapper.mapFileToUrl({ path, hostname })
       clearAclCache(aclUrl)
       // clearAclCache()
     }
-
     // Directory created, now write the file
     if (container) return
     return withLock(path, () => new Promise((resolve, reject) => {
@@ -327,11 +326,25 @@ class LDP {
     } catch (err) { }
   }
 
+  /**
+   * This function is used to make sure a resource or container which contains
+   * reserved suffixes for auxiliary documents cannot be created.
+   * @param {string} path - the uri to check for invalid suffixes
+   * @returns {boolean} true is fail - if the path contains reserved suffixes
+   */
+  _containsInvalidSuffixes (path) {
+    return AUXILIARY_RESOURCES.some(suffix => path.endsWith(suffix + '/'))
+  }
+
   // check whether a document (or container) has the same name as another document (or container)
   async checkItemName (url) {
     let testName, testPath
     const { hostname, pathname } = this.resourceMapper._parseUrl(url) // (url.url || url)
     let itemUrl = this.resourceMapper.resolveUrl(hostname, pathname)
+    // make sure the resource being created does not attempt invalid resource creation
+    if (this._containsInvalidSuffixes(itemUrl)) {
+      throw error(400, `${itemUrl} contained reserved suffixes in path`)
+    }
     const container = itemUrl.endsWith('/')
     try {
       const testUrl = container ? itemUrl.slice(0, -1) : itemUrl + '/'

package/lib/models/account-manager.js

@@ -89,12 +89,10 @@ class AccountManager {
     try {
       accountUri = this.accountUriFor(accountName)
       accountUri = url.parse(accountUri).hostname
-
       cardPath = url.resolve('/', this.pathCard)
     } catch (err) {
       return Promise.reject(err)
     }
-
     return this.accountUriExists(accountUri, cardPath)
   }
 
@@ -537,7 +535,7 @@ class AccountManager {
       throw new Error('Email service is not set up')
     }
 
-    if (!userAccount.email) {
+    if (userAccount && !userAccount.email) {
       throw new Error('Account recovery email has not been provided')
     }
   }

package/lib/requests/create-account-request.js

@@ -178,7 +178,7 @@ class CreateAccountRequest extends AuthRequest {
       .then(exists => {
         if (exists) {
           debug(`Canceling account creation, ${userAccount.webId} already exists`)
-          const error = new Error('Account already exists')
+          const error = new Error('Account creation failed')
           error.status = 400
           throw error
         }

package/lib/requests/password-reset-email-request.js

@@ -94,7 +94,7 @@ class PasswordResetEmailRequest extends AuthRequest {
       .then(() => request.validate())
       .then(() => request.loadUser())
       .then(userAccount => request.sendResetLink(userAccount))
-      .then(() => request.renderSuccess())
+      .then(() => request.resetLinkMessage())
       .catch(error => request.error(error))
   }
 
@@ -123,7 +123,10 @@ class PasswordResetEmailRequest extends AuthRequest {
     return this.accountManager.accountExists(username)
       .then(exists => {
         if (!exists) {
-          throw new Error('Account not found for that username')
+          // For security reasons, avoid leaking error information
+          // See: https://github.com/nodeSolidServer/node-solid-server/issues/1770
+          this.accountManager.verifyEmailDependencies()
+          return this.resetLinkMessage()
         }
 
         const userData = { username }
@@ -191,7 +194,7 @@ class PasswordResetEmailRequest extends AuthRequest {
   /**
    * Displays the 'your reset link has been sent' success message view
    */
-  renderSuccess () {
+  resetLinkMessage () {
     this.response.render('auth/reset-link-sent')
   }
 }

package/lib/requests/sharing-request.js

@@ -64,10 +64,11 @@ class SharingRequest extends AuthRequest {
    * @param req {IncomingRequest}
    * @param res {ServerResponse}
    */
-  static async get (req, res) {
+  static async get (req, res, next) {
     const request = SharingRequest.fromParams(req, res)
 
     const appUrl = request.getAppUrl()
+    if (!appUrl) return next()
     const appOrigin = appUrl.origin
     const serverUrl = new url.URL(req.app.locals.ldp.serverUri)
 
@@ -153,6 +154,7 @@ class SharingRequest extends AuthRequest {
   }
 
   getAppUrl () {
+    if (!this.authQueryParams.redirect_uri) return
     return new url.URL(this.authQueryParams.redirect_uri)
   }
 

package/lib/utils.js

@@ -201,7 +201,7 @@ async function getQuota (root, serverUri) {
     return Infinity
   }
   const graph = $rdf.graph()
-  const storageUri = serverUri + '/'
+  const storageUri = serverUri.endsWith('/') ? serverUri : serverUri + '/'
   try {
     $rdf.parse(prefs, graph, storageUri, 'text/turtle')
   } catch (error) {

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "solid-server",
   "description": "Solid server on top of the file-system",
-  "version": "5.7.9",
+  "version": "5.7.11",
   "author": {
     "name": "Tim Berners-Lee",
     "email": "timbl@w3.org"
@@ -89,7 +89,7 @@
     "ip-range-check": "0.2.0",
     "is-ip": "^3.1.0",
     "li": "^1.3.0",
-    "mashlib": "^1.8.9",
+    "mashlib": "^1.8.11",
     "mime-types": "^2.1.35",
     "negotiator": "^0.6.3",
     "node-fetch": "^2.7.0",
@@ -146,6 +146,14 @@
     "validate": "node ./test/validate-turtle.js",
     "nyc": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 nyc --reporter=text-summary mocha --recursive test/integration/ test/unit/",
     "mocha": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/ test/unit/",
+    "mocha-integration": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/http-test.js",
+    "mocha-account-creation-oidc": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/account-creation-oidc-test.js",
+    "mocha-account-manager": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/account-manager-test.js",
+    "mocha-account-template": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/account-template-test.js",
+    "mocha-acl-oidc": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/acl-oidc-test.js",
+    "mocha-authentication-oidc": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/authentication-oidc-test.js",
+    "mocha-header": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/header-test.js",
+    "mocha-ldp": "cross-env NODE_TLS_REJECT_UNAUTHORIZED=0 mocha --recursive test/integration/ldp-test.js",
     "prepublishOnly": "npm test",
     "postpublish": "git push --follow-tags",
     "test": "npm run standard && npm run validate && npm run nyc",