veryfront 0.1.1009 → 0.1.1010
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/esm/deno.js +1 -1
- package/esm/src/routing/api/module-loader/esbuild-plugin.d.ts.map +1 -1
- package/esm/src/routing/api/module-loader/esbuild-plugin.js +15 -6
- package/esm/src/routing/api/module-loader/http-validator.d.ts +1 -0
- package/esm/src/routing/api/module-loader/http-validator.d.ts.map +1 -1
- package/esm/src/routing/api/module-loader/http-validator.js +15 -7
- package/esm/src/utils/version-constant.d.ts +1 -1
- package/esm/src/utils/version-constant.js +1 -1
- package/package.json +1 -1
package/esm/deno.js
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"esbuild-plugin.d.ts","sourceRoot":"","sources":["../../../../../src/src/routing/api/module-loader/esbuild-plugin.ts"],"names":[],"mappings":"AACA,OAAO,EAML,KAAK,eAAe,EAErB,MAAM,yBAAyB,CAAC;AAGjC,OAAO,KAAK,EAAW,MAAM,EAAE,MAAM,sCAAsC,CAAC;
|
|
1
|
+
{"version":3,"file":"esbuild-plugin.d.ts","sourceRoot":"","sources":["../../../../../src/src/routing/api/module-loader/esbuild-plugin.ts"],"names":[],"mappings":"AACA,OAAO,EAML,KAAK,eAAe,EAErB,MAAM,yBAAyB,CAAC;AAGjC,OAAO,KAAK,EAAW,MAAM,EAAE,MAAM,sCAAsC,CAAC;AAQ5E,UAAU,iBAAiB;IACzB,YAAY,EAAE,MAAM,EAAE,CAAC;IACvB,QAAQ,CAAC,EAAE,eAAe,CAAC;IAC3B,UAAU,CAAC,EAAE,MAAM,CAAC;IACpB,MAAM,CAAC,EAAE,OAAO,CAAC;CAClB;AA8GD,wBAAgB,gBAAgB,CAAC,OAAO,EAAE,iBAAiB,GAAG,MAAM,EAAE,GAAG,MAAM,CAsR9E"}
|
|
@@ -2,6 +2,7 @@ import * as dntShim from "../../../../_dnt.shims.js";
|
|
|
2
2
|
import { computeHash, computeIntegrity, createLockfileManager, HTTP_MODULE_FETCH_TIMEOUT_MS, HTTP_NETWORK_CONNECT_TIMEOUT, serverLogger, } from "../../../utils/index.js";
|
|
3
3
|
import { createFileSystem } from "../../../platform/compat/fs.js";
|
|
4
4
|
import * as pathHelper from "../../../platform/compat/path/index.js";
|
|
5
|
+
import { isAllowedRemoteHost } from "./http-validator.js";
|
|
5
6
|
const logger = serverLogger.component("api");
|
|
6
7
|
const HTTP_MODULE_CACHE_DIR = ".veryfront/cache/api-http-imports";
|
|
7
8
|
const HTTP_MODULE_FETCH_MAX_ATTEMPTS = 3;
|
|
@@ -111,15 +112,25 @@ export function createHTTPPlugin(options) {
|
|
|
111
112
|
const name = error.name || "Error";
|
|
112
113
|
return typeof code === "string" && code ? `${name}(${code})` : name;
|
|
113
114
|
}
|
|
115
|
+
function isReadOnlyFileSystemError(error) {
|
|
116
|
+
if (error == null)
|
|
117
|
+
return false;
|
|
118
|
+
const message = error instanceof Error ? error.message : String(error);
|
|
119
|
+
if (/read-only file ?system|os error 30|erofs/i.test(message))
|
|
120
|
+
return true;
|
|
121
|
+
return error instanceof Error && isReadOnlyFileSystemError(error.cause);
|
|
122
|
+
}
|
|
114
123
|
async function persistLockfileEntry(url, entry) {
|
|
115
124
|
if (!lockfile)
|
|
116
125
|
return;
|
|
126
|
+
await lockfile.set(url, entry);
|
|
117
127
|
try {
|
|
118
|
-
await lockfile.set(url, entry);
|
|
119
128
|
await lockfile.flush();
|
|
120
129
|
logger.debug(`[http] lockfile updated: ${url} -> ${entry.resolved}`);
|
|
121
130
|
}
|
|
122
131
|
catch (error) {
|
|
132
|
+
if (!isReadOnlyFileSystemError(error))
|
|
133
|
+
throw error;
|
|
123
134
|
logger.warn(`[http] could not persist lockfile entry for ${url}: ${describePersistenceError(error)}`);
|
|
124
135
|
}
|
|
125
136
|
}
|
|
@@ -177,14 +188,12 @@ export function createHTTPPlugin(options) {
|
|
|
177
188
|
try {
|
|
178
189
|
const u = new URL(args.path);
|
|
179
190
|
if (allowedHosts?.length) {
|
|
180
|
-
|
|
181
|
-
|
|
182
|
-
if (!isAllowed) {
|
|
183
|
-
const remediation = `Add "${hostUrl}" to security.remoteHosts in veryfront.config.(ts|js) or replace with an approved CDN (e.g., https://esm.sh).`;
|
|
191
|
+
if (!isAllowedRemoteHost(u, allowedHosts)) {
|
|
192
|
+
const remediation = `Add "${u.origin}" to security.remoteHosts in veryfront.config.(ts|js) or replace with an approved CDN (e.g., https://esm.sh).`;
|
|
184
193
|
return {
|
|
185
194
|
errors: [
|
|
186
195
|
{
|
|
187
|
-
text: `Remote import blocked by allow-list: ${
|
|
196
|
+
text: `Remote import blocked by allow-list: ${u.origin}. ${remediation}`,
|
|
188
197
|
},
|
|
189
198
|
],
|
|
190
199
|
};
|
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"file":"http-validator.d.ts","sourceRoot":"","sources":["../../../../../src/src/routing/api/module-loader/http-validator.ts"],"names":[],"mappings":"AAEA,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,IAAI,
|
|
1
|
+
{"version":3,"file":"http-validator.d.ts","sourceRoot":"","sources":["../../../../../src/src/routing/api/module-loader/http-validator.ts"],"names":[],"mappings":"AAEA,wBAAgB,mBAAmB,CAAC,GAAG,EAAE,GAAG,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,OAAO,CAQ7E;AAED,wBAAgB,mBAAmB,CAAC,MAAM,EAAE,MAAM,EAAE,YAAY,EAAE,MAAM,EAAE,GAAG,IAAI,CAiChF"}
|
|
@@ -1,4 +1,14 @@
|
|
|
1
1
|
import { createError, toError } from "../../../errors/veryfront-error.js";
|
|
2
|
+
export function isAllowedRemoteHost(url, allowedHosts) {
|
|
3
|
+
return allowedHosts.some((host) => {
|
|
4
|
+
try {
|
|
5
|
+
return new URL(host).origin === url.origin;
|
|
6
|
+
}
|
|
7
|
+
catch (_) {
|
|
8
|
+
return false;
|
|
9
|
+
}
|
|
10
|
+
});
|
|
11
|
+
}
|
|
2
12
|
export function validateHTTPImports(source, allowedHosts) {
|
|
3
13
|
if (!allowedHosts?.length)
|
|
4
14
|
return;
|
|
@@ -9,22 +19,20 @@ export function validateHTTPImports(source, allowedHosts) {
|
|
|
9
19
|
const url = match[0].match(/https?:\/\/[^'"]+/)?.[0];
|
|
10
20
|
if (!url)
|
|
11
21
|
continue;
|
|
12
|
-
let
|
|
22
|
+
let u;
|
|
13
23
|
try {
|
|
14
|
-
|
|
15
|
-
hostUrl = `${u.protocol}//${u.host}`;
|
|
24
|
+
u = new URL(url);
|
|
16
25
|
}
|
|
17
26
|
catch (_) {
|
|
18
27
|
/* expected: URL may be malformed */
|
|
19
28
|
continue;
|
|
20
29
|
}
|
|
21
|
-
|
|
22
|
-
if (isAllowed)
|
|
30
|
+
if (isAllowedRemoteHost(u, allowedHosts))
|
|
23
31
|
continue;
|
|
24
|
-
const remediation = `Add "${
|
|
32
|
+
const remediation = `Add "${u.origin}" to security.remoteHosts in veryfront.config.(ts|js) or replace with an approved CDN (e.g., https://esm.sh).`;
|
|
25
33
|
throw toError(createError({
|
|
26
34
|
type: "api",
|
|
27
|
-
message: `[API] handler build failed: Remote import blocked by allow-list: ${
|
|
35
|
+
message: `[API] handler build failed: Remote import blocked by allow-list: ${u.origin}. ${remediation}`,
|
|
28
36
|
}));
|
|
29
37
|
}
|
|
30
38
|
}
|