0
Fork 0
mirror of https://github.com/TryGhost/Ghost.git synced 2025-01-20 22:42:53 -05:00
ghost/core/frontend/helpers/ghost_head.js
Fabien O'Carroll b6be89a44f
🔒 Fixed member email change vulnerability
refs https://github.com/TryGhost/Ghost/security/advisories/GHSA-65p7-pjj8-ggmr

This updates the signup/signin flow for members to no longer support the
email address change flow - which had missing authentication. It has
been replaced with a dedicated email change flow, and Portal has been
updated to use it.
2021-09-23 10:46:00 +01:00

205 lines
8.3 KiB
JavaScript

// # Ghost Head Helper
// Usage: `{{ghost_head}}`
//
// Outputs scripts and other assets at the top of a Ghost theme
const {metaData, escapeExpression, SafeString, logging, settingsCache, config, blogIcon, labs, urlUtils} = require('../services/proxy');
const _ = require('lodash');
const debug = require('ghost-ignition').debug('ghost_head');
const templateStyles = require('./tpl/styles');
const getMetaData = metaData.get;
function writeMetaTag(property, content, type) {
type = type || property.substring(0, 7) === 'twitter' ? 'name' : 'property';
return '<meta ' + type + '="' + property + '" content="' + content + '" />';
}
function finaliseStructuredData(meta) {
const head = [];
_.each(meta.structuredData, function (content, property) {
if (property === 'article:tag') {
_.each(meta.keywords, function (keyword) {
if (keyword !== '') {
keyword = escapeExpression(keyword);
head.push(writeMetaTag(property,
escapeExpression(keyword)));
}
});
head.push('');
} else if (content !== null && content !== undefined) {
head.push(writeMetaTag(property,
escapeExpression(content)));
}
});
return head;
}
function getMembersHelper() {
const stripeDirectSecretKey = settingsCache.get('stripe_secret_key');
const stripeDirectPublishableKey = settingsCache.get('stripe_publishable_key');
const stripeConnectAccountId = settingsCache.get('stripe_connect_account_id');
let membersHelper = `<script defer src="https://unpkg.com/@tryghost/portal@~0.16.0/umd/portal.min.js" data-ghost="${urlUtils.getSiteUrl()}"></script>`;
membersHelper += (`<style> ${templateStyles}</style>`);
if ((!!stripeDirectSecretKey && !!stripeDirectPublishableKey) || !!stripeConnectAccountId) {
membersHelper += '<script async src="https://js.stripe.com/v3/"></script>';
}
return membersHelper;
}
/**
* **NOTE**
* Express adds `_locals`, see https://github.com/expressjs/express/blob/4.15.4/lib/response.js#L962.
* But `options.data.root.context` is available next to `root._locals.context`, because
* Express creates a `renderOptions` object, see https://github.com/expressjs/express/blob/4.15.4/lib/application.js#L554
* and merges all locals to the root of the object. Very confusing, because the data is available in different layers.
*
* Express forwards the data like this to the hbs engine:
* {
* post: {}, - res.render('view', databaseResponse)
* context: ['post'], - from res.locals
* safeVersion: '1.x', - from res.locals
* _locals: {
* context: ['post'],
* safeVersion: '1.x'
* }
* }
*
* hbs forwards the data to any hbs helper like this
* {
* data: {
* site: {},
* labs: {},
* config: {},
* root: {
* post: {},
* context: ['post'],
* locals: {...}
* }
* }
*
* `site`, `labs` and `config` are the templateOptions, search for `hbs.updateTemplateOptions` in the code base.
* Also see how the root object gets created, https://github.com/wycats/handlebars.js/blob/v4.0.6/lib/handlebars/runtime.js#L259
*/
// We use the name ghost_head to match the helper for consistency:
module.exports = function ghost_head(options) { // eslint-disable-line camelcase
debug('begin');
// if server error page do nothing
if (options.data.root.statusCode >= 500) {
return;
}
const head = [];
const dataRoot = options.data.root;
const context = dataRoot._locals.context ? dataRoot._locals.context : null;
const safeVersion = dataRoot._locals.safeVersion;
const postCodeInjection = dataRoot && dataRoot.post ? dataRoot.post.codeinjection_head : null;
const tagCodeInjection = dataRoot && dataRoot.tag ? dataRoot.tag.codeinjection_head : null;
const globalCodeinjection = settingsCache.get('codeinjection_head');
const useStructuredData = !config.isPrivacyDisabled('useStructuredData');
const referrerPolicy = config.get('referrerPolicy') ? config.get('referrerPolicy') : 'no-referrer-when-downgrade';
const favicon = blogIcon.getIconUrl();
const iconType = blogIcon.getIconType(favicon);
debug('preparation complete, begin fetch');
/**
* @TODO:
* - getMetaData(dataRoot, dataRoot) -> yes that looks confusing!
* - there is a very mixed usage of `data.context` vs. `root.context` vs `root._locals.context` vs. `this.context`
* - NOTE: getMetaData won't live here anymore soon, see https://github.com/TryGhost/Ghost/issues/8995
* - therefor we get rid of using `getMetaData(this, dataRoot)`
* - dataRoot has access to *ALL* locals, see function description
* - it should not break anything
*/
return getMetaData(dataRoot, dataRoot)
.then(function handleMetaData(meta) {
debug('end fetch');
if (context) {
// head is our main array that holds our meta data
if (meta.metaDescription && meta.metaDescription.length > 0) {
head.push('<meta name="description" content="' + escapeExpression(meta.metaDescription) + '" />');
}
// no output in head if a publication icon is not set
if (settingsCache.get('icon')) {
head.push('<link rel="icon" href="' + favicon + '" type="image/' + iconType + '" />');
}
head.push('<link rel="canonical" href="' +
escapeExpression(meta.canonicalUrl) + '" />');
head.push('<meta name="referrer" content="' + referrerPolicy + '" />');
// don't allow indexing of preview URLs!
if (_.includes(context, 'preview')) {
head.push(writeMetaTag('robots', 'noindex,nofollow', 'name'));
}
// show amp link in post when 1. we are not on the amp page and 2. amp is enabled
if (_.includes(context, 'post') && !_.includes(context, 'amp') && settingsCache.get('amp')) {
head.push('<link rel="amphtml" href="' +
escapeExpression(meta.ampUrl) + '" />');
}
if (meta.previousUrl) {
head.push('<link rel="prev" href="' +
escapeExpression(meta.previousUrl) + '" />');
}
if (meta.nextUrl) {
head.push('<link rel="next" href="' +
escapeExpression(meta.nextUrl) + '" />');
}
if (!_.includes(context, 'paged') && useStructuredData) {
head.push('');
head.push.apply(head, finaliseStructuredData(meta));
head.push('');
if (meta.schema) {
head.push('<script type="application/ld+json">\n' +
JSON.stringify(meta.schema, null, ' ') +
'\n </script>\n');
}
}
if (!_.includes(context, 'amp') && labs.isSet('members')) {
head.push(getMembersHelper());
}
}
head.push('<meta name="generator" content="Ghost ' +
escapeExpression(safeVersion) + '" />');
head.push('<link rel="alternate" type="application/rss+xml" title="' +
escapeExpression(meta.site.title) + '" href="' +
escapeExpression(meta.rssUrl) + '" />');
// no code injection for amp context!!!
if (!_.includes(context, 'amp')) {
if (!_.isEmpty(globalCodeinjection)) {
head.push(globalCodeinjection);
}
if (!_.isEmpty(postCodeInjection)) {
head.push(postCodeInjection);
}
if (!_.isEmpty(tagCodeInjection)) {
head.push(tagCodeInjection);
}
}
debug('end');
return new SafeString(head.join('\n ').trim());
})
.catch(function handleError(err) {
logging.error(err);
// Return what we have so far (currently nothing)
return new SafeString(head.join('\n ').trim());
});
};