zone5 1.6.0 → 1.6.2

package/dist/processor/file.js

@@ -10,12 +10,8 @@ export const sourceFileHash = (sourceBaseDir, sourceFile) => {
     return hash.digest('hex');
 };
 export const ensureDirectoryExists = async (dirPath) => {
-    try {
-        await access(dirPath);
-    }
-    catch {
-        await mkdir(dirPath, { recursive: true });
-    }
+    // mkdir with recursive: true is idempotent - no need to check if dir exists first
+    await mkdir(dirPath, { recursive: true });
 };
 export const fileExists = async (filePath) => {
     try {

package/dist/remark.js

@@ -125,6 +125,28 @@ function collectImageData(images, existingKeys) {
         };
     });
 }
+/**
+ * Validate and sanitize an image URL for safe use in import statements.
+ * Prevents import path injection by ensuring URLs are valid relative paths.
+ */
+function validateImageUrl(url) {
+    // Remove the ?z5 suffix for validation
+    const cleanUrl = url.replace(/\?z5$/, '');
+    // Block URLs with protocol schemes (http:, https:, file:, data:, javascript:, etc.)
+    if (cleanUrl.match(/^[a-zA-Z][a-zA-Z0-9+.-]*:/)) {
+        return false;
+    }
+    // Block URLs with null bytes or other control characters (ASCII 0-31 and 127)
+    // eslint-disable-next-line no-control-regex
+    if (/[\x00-\x1f\x7f]/.test(cleanUrl)) {
+        return false;
+    }
+    // Block URLs that could escape the import statement (quotes, backticks, newlines)
+    if (cleanUrl.match(/['"`\n\r]/)) {
+        return false;
+    }
+    return true;
+}
 /**
  * Generate a unique import key for an image URL
  */
@@ -146,10 +168,18 @@ function generateImportKey(url, existingKeys) {
     return key;
 }
 /**
- * Check if a node is a Zone5 image (ends with ?z5)
+ * Check if a node is a Zone5 image (ends with ?z5) with a valid URL
  */
 function isZ5Image(node) {
-    return node.type === 'image' && typeof node.url === 'string' && node.url.endsWith('?z5');
+    if (node.type !== 'image' || typeof node.url !== 'string' || !node.url.endsWith('?z5')) {
+        return false;
+    }
+    // Security: Validate URL to prevent import path injection
+    if (!validateImageUrl(node.url)) {
+        console.warn(`Zone5: Skipping image with invalid URL: ${node.url}`);
+        return false;
+    }
+    return true;
 }
 /**
  * Check if a paragraph contains only a single Z5 image

package/dist/vite.js

@@ -3,7 +3,7 @@ import { dataToEsm } from '@rollup/pluginutils';
 import mime from 'mime';
 import { createReadStream } from 'node:fs';
 import { cp, readFile, stat } from 'node:fs/promises';
-import { dirname, join } from 'node:path';
+import { dirname, join, resolve } from 'node:path';
 import { load } from './config.js';
 import processor, {} from './processor/index.js';
 const tracer = trace.getTracer('zone5-vite');
@@ -18,7 +18,16 @@ const serve = (basePath, cacheDir) => async (req, res, next) => {
         const [, id] = req.url.split(basePath);
         try {
             const path = decodeURIComponent(id);
-            const src = join(cacheDir, path);
+            const src = resolve(cacheDir, path);
+            // Security: Prevent path traversal attacks by ensuring the resolved path
+            // is within the cache directory
+            const normalizedCacheDir = resolve(cacheDir);
+            if (!src.startsWith(normalizedCacheDir + '/') && src !== normalizedCacheDir) {
+                console.error(`Zone5: Blocked path traversal attempt: ${path}`);
+                res.statusCode = 403;
+                res.end('Forbidden');
+                return;
+            }
             try {
                 const image = createReadStream(src);
                 const stats = await stat(src);

package/package.json

@@ -1,6 +1,6 @@
 {
 	"name": "zone5",
-	"version": "1.6.0",
+	"version": "1.6.2",
 	"repository": {
 		"url": "https://github.com/cwygoda/zone5"
 	},