closes https://github.com/TryGhost/Product/issues/4191
Without this patch, themes can read arbitrary files from your system and
expose them to the internet via the layout feature of express-hbs.
For example `{{!< ../../../../config.production.json}}` would spit out config,
which can contain secrets.
As theme upload is restricted to users with the Admin role, this mostly effects
hosting providers which use their own secret keys for e.g. mail or database config
no issue
- bumped `@tryghost/koenig-lexical` to version that no longer uses negative lookbehind in a regex which wasn't supported in Safari until version 16.4
refs https://github.com/TryGhost/Product/issues/4159
---
<!-- Leave the line below if you'd like GitHub Copilot to generate a
summary from your commit -->
<!--
copilot:summary
-->
### <samp>🤖[[deprecated]](https://githubnext.com/copilot-for-prs-sunset)
Generated by Copilot at 9e68f4d</samp>
This pull request refactors several components in the `admin-x-settings`
app to use common hooks from the `@tryghost/admin-x-framework` package,
which reduces code duplication and improves consistency. It also updates
the `package.json` file and adds unit tests for the `admin-x-framework`
package, which improves the formatting, testing, and dependency
management. Additionally, it makes some minor changes to the `hooks.ts`,
`FrameworkProvider.tsx`, and `.eslintrc.cjs` files in the
`admin-x-framework` package, which enhance the public API and the
linting configuration.
refs https://github.com/TryGhost/DevOps/issues/3
refs b6d8e0192a
- see referenced commit for full context but this should improve the
theme check time for themes with a large number of files and partials
- locally, checking a particularly heavy theme goes from 5s to 1.7s with this
commit, and the improvement is larger on slower machines
fixes GRO-25
Updated @tryghost/nql to 0.12.0 and other packages that depend on it
1. SQLite: when a filter string contains /.
When we use a NQL contain/starts/endsWith filter that contains a slash,
underlyingly the whole filter will get converted to a MongoDB query, in
which we just use a regexp to represent the filter. In here we will
escape the slash: \/ as expected in a regexp. Later when we convert this
MongoDB query back to knex/SQL, we use a SQL LIKE query. Currently we
don't remove the escaping here for a normal slash. MySQL seems to ignore
this (kinda incorrect). SQLite doesn't like it, and this breaks queries
on SQLite that use slashes. The solution here is simple: remove the
backslash escaping when converting the regexp to LIKE, just like we do
with other special regexp characters.
2. We don't escape % and _, which have a special meaning in LIKE queries
Usage of % and _ is now as expected and doesn't have the special SQL
meaning anymore.
closes https://github.com/TryGhost/Product/issues/4133
- we were creating a new JSDOM instance every time we rendered a card which lowered performance because JSDOM instantiation is heavy
- updated Koenig packages to remove the need for passing in an external `createDocument` option method as they now re-use the renderer's internal single instance of JSDOM
no issue
- Currently our stack traces in Production include the admin build
version in the paths, e.g. `/admin/1633/assets` instead of
`admin/assets`
- This confuses the error grouping logic in Sentry, resulting in many
duplicate issues being created every time we release a new version of
admin
- Ultimately, this makes it really difficult to determine if a 'New'
issue in Sentry is actually new, or if it's just the first time we've
seen it in this release.
- This commit adds the `RewriteFrames` integration to the Admin Sentry
client, which will strip the build version from the paths in the stack
traces, and allow Sentry to group issues correctly.
- With this, hopefully we will have far fewer 'New' issues created, so
we can again start alerting on the 'New' condition in Sentry.
