-
Notifications
You must be signed in to change notification settings - Fork 10.3k
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
fix(gatsby-plugin-mdx): don't allow JS frontmatter by default (#35830) (
#35834) Co-authored-by: Ty Hopp <hopp.ty.c@gmail.com> Co-authored-by: Michal Piechowiak <misiek.piechowiak@gmail.com>
- Loading branch information
1 parent
36f21b0
commit ff94ed5
Showing
29 changed files
with
351 additions
and
21 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,3 +9,4 @@ yarn-error.log | |
|
||
# Cypress output | ||
cypress/videos/ | ||
cypress/screenshots/ |
1 change: 1 addition & 0 deletions
1
e2e-tests/mdx-less-babel/cypress/fixtures/file-to-attempt-rce-on.txt
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Nothing here, do not remove |
29 changes: 29 additions & 0 deletions
29
e2e-tests/mdx-less-babel/cypress/integration/js-frontmatter.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
describe(`webpack loader`, () => { | ||
it(`---js frontmatter should not parse by default`, () => { | ||
cy.visit(`/js-frontmatter`).waitForRouteChange() | ||
|
||
// Check frontmatter not parsed in page context | ||
cy.get(`[data-cy="js-frontmatter"]`).invoke(`text`).should(`eq`, `disabled`) | ||
}) | ||
|
||
it(`---javascript frontmatter should not parse by default`, () => { | ||
cy.visit(`/javascript-frontmatter`).waitForRouteChange() | ||
|
||
// Check frontmatter not parsed in page context | ||
cy.get(`[data-cy="js-frontmatter"]`).invoke(`text`).should(`eq`, `disabled`) | ||
}) | ||
}) | ||
|
||
describe(`data layer`, () => { | ||
it(`---js or ---javascript frontmatter should not parse by default`, () => { | ||
cy.visit(`/mdx-query-js-frontmatter/`).waitForRouteChange() | ||
cy.contains(`I should not be parsed`).should("not.exist") | ||
}) | ||
}) | ||
|
||
it(`---js and ---javascript frontmatter should not allow remote code execution`, () => { | ||
cy.readFile(`cypress/fixtures/file-to-attempt-rce-on.txt`).should( | ||
`eq`, | ||
`Nothing here, do not remove` | ||
) | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,12 @@ | ||
exports.createSchemaCustomization = ({ actions }) => { | ||
const { createTypes } = actions | ||
|
||
createTypes(` | ||
type Mdx implements Node { | ||
frontmatter: Frontmatter | ||
} | ||
type Frontmatter { | ||
title: String | ||
} | ||
`) | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
16 changes: 16 additions & 0 deletions
16
e2e-tests/mdx-less-babel/src/pages/javascript-frontmatter.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
---javascript | ||
(() => { | ||
require(`fs`).writeFileSync(`${process.cwd()}/cypress/fixtures/file-to-attempt-rce-on.txt`, (new Error('Helpful stack trace if this does execute. It should not execute.')).stack) | ||
console.trace() | ||
return { | ||
title: `I should not be parsed` | ||
} | ||
})() | ||
|
||
--- | ||
|
||
<h1>JS frontmatter engine is disabled by default</h1> | ||
|
||
<span data-cy="js-frontmatter"> | ||
{props.pageContext.frontmatter?.title || `disabled`} | ||
</span> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
---js | ||
(() => { | ||
require(`fs`).writeFileSync(`${process.cwd()}/cypress/fixtures/file-to-attempt-rce-on.txt`, (new Error('Helpful stack trace if this does execute. It should not execute.')).stack) | ||
console.trace() | ||
return { | ||
title: `I should not be parsed` | ||
} | ||
})() | ||
|
||
--- | ||
|
||
<h1>JS frontmatter engine is disabled by default</h1> | ||
|
||
<span data-cy="js-frontmatter"> | ||
{props.pageContext.frontmatter?.title || `disabled`} | ||
</span> |
30 changes: 30 additions & 0 deletions
30
e2e-tests/mdx-less-babel/src/pages/mdx-query-js-frontmatter.js
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
import React from "react" | ||
import { graphql } from "gatsby" | ||
|
||
export default function PageRunningGraphqlResolversOnJSFrontmatterTestInputs({ | ||
data, | ||
}) { | ||
return <pre>{JSON.stringify(data.allMdx.nodes, null, 2)}</pre> | ||
} | ||
|
||
export const query = graphql` | ||
{ | ||
allMdx(filter: { slug: { glob: "frontmatter-engine/*" } }) { | ||
nodes { | ||
frontmatter { | ||
title | ||
} | ||
body | ||
excerpt | ||
tableOfContents | ||
timeToRead | ||
wordCount { | ||
paragraphs | ||
sentences | ||
words | ||
} | ||
mdxAST | ||
} | ||
} | ||
} | ||
` |
16 changes: 16 additions & 0 deletions
16
e2e-tests/mdx-less-babel/src/posts/frontmatter-engine/javascript-frontmatter.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
---javascript | ||
(() => { | ||
require(`fs`).writeFileSync(`${process.cwd()}/cypress/fixtures/file-to-attempt-rce-on.txt`, (new Error('Helpful stack trace if this does execute. It should not execute.')).stack) | ||
console.trace() | ||
return { | ||
title: `I should not be parsed` | ||
} | ||
})() | ||
|
||
--- | ||
|
||
<h1>JS frontmatter engine is disabled by default w</h1> | ||
|
||
<span data-cy="js-frontmatter"> | ||
{props.pageContext.frontmatter?.title || `disabled`} | ||
</span> |
16 changes: 16 additions & 0 deletions
16
e2e-tests/mdx-less-babel/src/posts/frontmatter-engine/js-frontmatter.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
---js | ||
(() => { | ||
require(`fs`).writeFileSync(`${process.cwd()}/cypress/fixtures/file-to-attempt-rce-on.txt`, (new Error('Helpful stack trace if this does execute. It should not execute.')).stack) | ||
console.trace() | ||
return { | ||
title: `I should not be parsed` | ||
} | ||
})() | ||
|
||
--- | ||
|
||
<h1>JS frontmatter engine is disabled by default</h1> | ||
|
||
<span data-cy="js-frontmatter"> | ||
{props.pageContext.frontmatter?.title || `disabled`} | ||
</span> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -9,3 +9,4 @@ yarn-error.log | |
|
||
# Cypress output | ||
cypress/videos/ | ||
cypress/screenshots/ |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1 @@ | ||
Nothing here, do not remove |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,29 @@ | ||
describe(`webpack loader`, () => { | ||
it(`---js frontmatter should not parse by default`, () => { | ||
cy.visit(`/js-frontmatter`).waitForRouteChange() | ||
|
||
// Check frontmatter not parsed in page context | ||
cy.get(`[data-cy="js-frontmatter"]`).invoke(`text`).should(`eq`, `disabled`) | ||
}) | ||
|
||
it(`---javascript frontmatter should not parse by default`, () => { | ||
cy.visit(`/javascript-frontmatter`).waitForRouteChange() | ||
|
||
// Check frontmatter not parsed in page context | ||
cy.get(`[data-cy="js-frontmatter"]`).invoke(`text`).should(`eq`, `disabled`) | ||
}) | ||
}) | ||
|
||
describe(`data layer`, () => { | ||
it(`---js or ---javascript frontmatter should not parse by default`, () => { | ||
cy.visit(`/mdx-query-js-frontmatter/`).waitForRouteChange() | ||
cy.contains(`I should not be parsed`).should("not.exist") | ||
}) | ||
}) | ||
|
||
it(`---js and ---javascript frontmatter should not allow remote code execution`, () => { | ||
cy.readFile(`cypress/fixtures/file-to-attempt-rce-on.txt`).should( | ||
`eq`, | ||
`Nothing here, do not remove` | ||
) | ||
}) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
---javascript | ||
(() => { | ||
require(`fs`).writeFileSync(`${process.cwd()}/cypress/fixtures/file-to-attempt-rce-on.txt`, (new Error('Helpful stack trace if this does execute. It should not execute.')).stack) | ||
console.trace() | ||
return { | ||
title: `I should not be parsed` | ||
} | ||
})() | ||
|
||
--- | ||
|
||
<h1>JS frontmatter engine is disabled by default</h1> | ||
|
||
<span data-cy="js-frontmatter"> | ||
{props.pageContext.frontmatter?.title || `disabled`} | ||
</span> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
---js | ||
(() => { | ||
require(`fs`).writeFileSync(`${process.cwd()}/cypress/fixtures/file-to-attempt-rce-on.txt`, (new Error('Helpful stack trace if this does execute. It should not execute.')).stack) | ||
console.trace() | ||
return { | ||
title: `I should not be parsed` | ||
} | ||
})() | ||
|
||
--- | ||
|
||
<h1>JS frontmatter engine is disabled by default</h1> | ||
|
||
<span data-cy="js-frontmatter"> | ||
{props.pageContext.frontmatter?.title || `disabled`} | ||
</span> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,30 @@ | ||
import React from "react" | ||
import { graphql } from "gatsby" | ||
|
||
export default function PageRunningGraphqlResolversOnJSFrontmatterTestInputs({ | ||
data, | ||
}) { | ||
return <pre>{JSON.stringify(data.allMdx.nodes, null, 2)}</pre> | ||
} | ||
|
||
export const query = graphql` | ||
{ | ||
allMdx(filter: { slug: { glob: "frontmatter-engine/*" } }) { | ||
nodes { | ||
frontmatter { | ||
title | ||
} | ||
body | ||
excerpt | ||
tableOfContents | ||
timeToRead | ||
wordCount { | ||
paragraphs | ||
sentences | ||
words | ||
} | ||
mdxAST | ||
} | ||
} | ||
} | ||
` |
16 changes: 16 additions & 0 deletions
16
e2e-tests/mdx/src/posts/frontmatter-engine/javascript-frontmatter.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
---javascript | ||
(() => { | ||
require(`fs`).writeFileSync(`${process.cwd()}/cypress/fixtures/file-to-attempt-rce-on.txt`, (new Error('Helpful stack trace if this does execute. It should not execute.')).stack) | ||
console.trace() | ||
return { | ||
title: `I should not be parsed` | ||
} | ||
})() | ||
|
||
--- | ||
|
||
<h1>JS frontmatter engine is disabled by default w</h1> | ||
|
||
<span data-cy="js-frontmatter"> | ||
{props.pageContext.frontmatter?.title || `disabled`} | ||
</span> |
16 changes: 16 additions & 0 deletions
16
e2e-tests/mdx/src/posts/frontmatter-engine/js-frontmatter.mdx
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,16 @@ | ||
---js | ||
(() => { | ||
require(`fs`).writeFileSync(`${process.cwd()}/cypress/fixtures/file-to-attempt-rce-on.txt`, (new Error('Helpful stack trace if this does execute. It should not execute.')).stack) | ||
console.trace() | ||
return { | ||
title: `I should not be parsed` | ||
} | ||
})() | ||
|
||
--- | ||
|
||
<h1>JS frontmatter engine is disabled by default</h1> | ||
|
||
<span data-cy="js-frontmatter"> | ||
{props.pageContext.frontmatter?.title || `disabled`} | ||
</span> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.