mirror of
https://github.com/multica-ai/multica.git
synced 2026-07-05 21:39:54 +02:00
* fix(issues): file-card render for self-host with local storage Fixes #1520. When self-hosting without S3, the upload handler returns site-relative URLs like /uploads/workspaces/<wsId>/<file>. Four frontend regexes only matched https?://, so persisted !file[name](/uploads/...) markdown failed to parse and leaked through as raw text in the issue view, chat, skill file viewer, and board card preview. Narrow allow-list: the relative branch only accepts /uploads/ — not any /-prefixed href — so protocol-relative //evil.com/x, path-traversal /../api/x, and other internal /api/... paths are rejected. Without this, a stored file-card with an attacker-chosen filename and a //host/x href would turn into a one-click external-site jump via window.open from inside an issue (per review feedback on #2349). Single source of truth: packages/ui/markdown/file-cards.ts now exports isAllowedFileCardHref + FILE_CARD_URL_PATTERN. The four sites use one of them, so the next regression is cheaper than restoring four parallel regexes. - packages/ui/markdown/file-cards.ts: helper + URL pattern. - packages/views/editor/extensions/file-card.tsx: Tiptap tokenizer composes from FILE_CARD_URL_PATTERN. - packages/views/editor/readonly-content.tsx: sanitiser uses helper. - packages/ui/markdown/Markdown.tsx: sanitiser uses helper. - packages/views/issues/components/board-card.tsx: strip markdown tokens from the line-clamped board preview so raw !file[...] no longer leaks there either. - packages/ui/markdown/file-cards.test.ts: covers accept (/uploads/ok, https://cdn/x) and reject (javascript:, data:, //evil.com/x, /../api/x, /api/x, empty, ftp:, bare 'uploads/x') for both the helper and the parser composed from the pattern. javascript:, data:, and other dangerous schemes remain rejected. * test(markdown): move file-card href allow-list test into @multica/views Per review feedback on #2349: keep the test where vitest is already running instead of bootstrapping a new test runner inside @multica/ui. The test now lives at packages/views/editor/file-card-href.test.ts and imports isAllowedFileCardHref / FILE_CARD_URL_PATTERN / preprocessFileCards from the @multica/ui/markdown public surface, exercising the same 30 cases. Reverts the @multica/ui package.json test script + vitest devDep + the local vitest.config.ts that the previous commit added; the package goes back to typecheck + lint only, matching every other ui-only package in the monorepo. --------- Co-authored-by: Lalbadshah <11599756+Lalbadshah@users.noreply.github.com>