specra 0.2.10 → 0.2.11
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/mdx-security.js +12 -11
- package/package.json +1 -1
package/dist/mdx-security.js
CHANGED
|
@@ -44,22 +44,23 @@ export function validatePathWithinDirectory(filePath, allowedDir) {
|
|
|
44
44
|
* These patterns can execute arbitrary code during SSR
|
|
45
45
|
*/
|
|
46
46
|
const DANGEROUS_PATTERNS = [
|
|
47
|
-
// JavaScript execution
|
|
48
|
-
|
|
49
|
-
/
|
|
50
|
-
/
|
|
51
|
-
/
|
|
47
|
+
// JavaScript execution — require expression context (after { ; = or line start)
|
|
48
|
+
// to avoid false positives on prose like "bulk import (CSV...)" or "fetch (data)"
|
|
49
|
+
/(?:^|[{;=,])\s*eval\s*\(/gim,
|
|
50
|
+
/(?:^|[{;=,])\s*Function\s*\(/gim,
|
|
51
|
+
/(?:^|[{;=,])\s*import\s*\(/gim,
|
|
52
|
+
/(?:^|[{;=,])\s*require\s*\(/gim,
|
|
52
53
|
// File system access
|
|
53
54
|
/fs\.[a-z]+/gi,
|
|
54
|
-
/readFile/
|
|
55
|
-
/writeFile/
|
|
55
|
+
/(?:^|[{;=,])\s*readFile/gim,
|
|
56
|
+
/(?:^|[{;=,])\s*writeFile/gim,
|
|
56
57
|
/process\.env/gi,
|
|
57
|
-
// Network requests during SSR
|
|
58
|
-
/fetch\s*\(/
|
|
58
|
+
// Network requests during SSR — require expression context
|
|
59
|
+
/(?:^|[{;=,])\s*fetch\s*\(/gim,
|
|
59
60
|
// Dangerous Node.js modules
|
|
60
61
|
/child_process/gi,
|
|
61
|
-
/exec\s*\(/
|
|
62
|
-
/spawn\s*\(/
|
|
62
|
+
/(?:^|[{;=,])\s*exec\s*\(/gim,
|
|
63
|
+
/(?:^|[{;=,])\s*spawn\s*\(/gim,
|
|
63
64
|
// Script tag injection
|
|
64
65
|
/<script[>\s]/gi,
|
|
65
66
|
/javascript:/gi,
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "specra",
|
|
3
|
-
"version": "0.2.
|
|
3
|
+
"version": "0.2.11",
|
|
4
4
|
"description": "A modern documentation library for SvelteKit with built-in versioning, API reference generation, full-text search, and MDX support",
|
|
5
5
|
"svelte": "./dist/index.js",
|
|
6
6
|
"types": "./dist/index.d.ts",
|