build filters files outside the root (#103)

* build filters files outside the root
reverts part of #89

fixes #99

* fix tests and test imports of non-existing files

* more tests but I'm not sure if I'm using this correctly

* Update test/input/bar.js

Co-authored-by: Mike Bostock <[email protected]>

* fix test

* fix test, align signatures

* don’t canReadSync in isLocalPath

* syntax error on non-local file path

---------

Co-authored-by: Mike Bostock <[email protected]>

Author: Fil

src/files.ts

@@ -1,30 +1,14 @@
-import {type Stats, accessSync, constants, statSync} from "node:fs";
+import {type Stats} from "node:fs";
 import {mkdir, readdir, stat} from "node:fs/promises";
 import {dirname, extname, join, normalize, relative} from "node:path";
 import {isNodeError} from "./error.js";
 
-// A file is local if it exists in the root folder or a subfolder.
-export function isLocalFile(ref: string | null, root: string): boolean {
-  return (
-    typeof ref === "string" &&
-    !/^(\w+:)\/\//.test(ref) &&
-    !normalize(ref).startsWith("../") &&
-    canReadSync(join(root, ref))
-  );
-}
-
-export function pathFromRoot(ref: string | null, root: string): string | null {
-  return isLocalFile(ref, root) ? join(root, ref!) : null;
-}
-
-function canReadSync(path: string): boolean {
-  try {
-    accessSync(path, constants.R_OK);
-    return statSync(path).isFile();
-  } catch (error) {
-    if (isNodeError(error) && error.code === "ENOENT") return false;
-    throw error;
-  }
+// A path is local if it doesn’t go outside the the root.
+export function getLocalPath(sourcePath: string, name: string): string | null {
+  if (/^(\w+:)\/\//.test(name)) return null; // URL
+  const path = join(dirname(sourcePath.startsWith("/") ? sourcePath.slice("/".length) : sourcePath), name);
+  if (path.startsWith("../")) return null; // goes above root
+  return path;
 }
 
 export async function* visitMarkdownFiles(root: string): AsyncGenerator<string> {

src/javascript/features.ts

@@ -1,4 +1,5 @@
 import {simple} from "acorn-walk";
+import {getLocalPath} from "../files.js";
 import {type Feature} from "../javascript.js";
 import {isLocalImport} from "./imports.js";
 import {syntaxError} from "./syntaxError.js";
@@ -36,7 +37,13 @@ export function findFeatures(node, root, sourcePath, references, input) {
         throw syntaxError(`${callee.name} requires a single literal string argument`, node, input);
       }
 
-      features.push({type: callee.name, name: getStringLiteralValue(arg)});
+      // Forbid file attachments that are not local paths.
+      const value = getStringLiteralValue(arg);
+      if (callee.name === "FileAttachment" && !getLocalPath(sourcePath, value)) {
+        throw syntaxError(`non-local file path: "${value}"`, node, input);
+      }
+
+      features.push({type: callee.name, name: value});
     }
   });
 

src/markdown.ts

@@ -1,5 +1,5 @@
 import {readFile} from "node:fs/promises";
-import {dirname, join} from "node:path";
+import {join} from "node:path";
 import {type Patch, type PatchItem, getPatch} from "fast-array-diff";
 import equal from "fast-deep-equal";
 import matter from "gray-matter";
@@ -11,7 +11,7 @@ import {type RuleInline} from "markdown-it/lib/parser_inline.js";
 import {type RenderRule, type default as Renderer} from "markdown-it/lib/renderer.js";
 import MarkdownItAnchor from "markdown-it-anchor";
 import mime from "mime";
-import {isLocalFile, pathFromRoot} from "./files.js";
+import {getLocalPath} from "./files.js";
 import {computeHash} from "./hash.js";
 import {type FileReference, type ImportReference, type Transpile, transpileJavaScript} from "./javascript.js";
 import {transpileTag} from "./tag.js";
@@ -322,8 +322,8 @@ function normalizePieceHtml(html: string, root: string, sourcePath: string, cont
   const {document} = parseHTML(html);
   for (const element of document.querySelectorAll("link[href]") as any as Iterable<Element>) {
     const href = element.getAttribute("href")!;
-    const path = join(dirname(sourcePath), href);
-    if (isLocalFile(path, root)) {
+    const path = getLocalPath(sourcePath, href);
+    if (path) {
       context.files.push({name: href, mimeType: mime.getType(href)});
       element.setAttribute("href", `/_file/${path}`);
     }
@@ -463,6 +463,6 @@ export function diffMarkdown({parse: prevParse}: ReadMarkdownResult, {parse: nex
 }
 
 export async function readMarkdown(path: string, root: string): Promise<ReadMarkdownResult> {
-  const contents = await readFile(pathFromRoot(path, root)!, "utf-8");
+  const contents = await readFile(join(root, path), "utf-8");
   return {contents, parse: parseMarkdown(contents, root, path), hash: computeHash(contents)};
 }

src/preview.ts

@@ -260,7 +260,7 @@ function handleWatch(socket: WebSocket, options: {root: string; resolver: CellRe
           let {path} = message;
           if (!(path = normalize(path)).startsWith("/")) throw new Error("Invalid path: " + path);
           if (path.endsWith("/")) path += "index";
-          path = path.slice("/".length) + ".md";
+          path += ".md";
           markdownWatcher = watch(join(root, path), await refreshMarkdown(path));
           break;
         }

test/input/bar.js

@@ -0,0 +1 @@
+const bar = Symbol("bar");

test/input/dynamic-import-noent.js

@@ -0,0 +1 @@
+const foo = await import("./noent.js");

test/input/fetch-parent-dir.md

@@ -0,0 +1,36 @@
+# Parent dir
+
+Trying to fetch from the parent directory should fail.
+
+```js
+const fail1 = fetch("../NOENT.md").then(d => d.text())
+```
+
+```js
+const fail2 = FileAttachment("../NOENT.md").text()
+```
+
+```js
+const fail3 = fetch("../README.md").then(d => d.text())
+```
+
+```js
+const fail4 = FileAttachment("../README.md").text()
+```
+
+```js
+const fail5 = fetch("./NOENT.md").then(d => d.text())
+```
+
+```js
+const fail6 = FileAttachment("./NOENT.md").text()
+```
+
+```js
+const ok1 = fetch("./tex-expression.md").then(d => d.text())
+```
+
+```js
+const ok2 = FileAttachment("./tex-expression.md").text()
+```
+

test/input/static-import-noent.js

@@ -0,0 +1,3 @@
+import {foo} from "./noent.js";
+
+display(foo);

test/output/bar.js

@@ -0,0 +1,4 @@
+define({id: "0", outputs: ["bar"], body: () => {
+const bar = Symbol("bar");
+return {bar};
+}});

test/output/dynamic-import-noent.js

@@ -0,0 +1,4 @@
+define({id: "0", outputs: ["foo"], body: async () => {
+const foo = await import("/_import/noent.js");
+return {foo};
+}});

test/output/fetch-parent-dir.html

@@ -0,0 +1,10 @@
+<h1 id="parent-dir" tabindex="-1"><a class="observablehq-header-anchor" href="#parent-dir">Parent dir</a></h1>
+<p>Trying to fetch from the parent directory should fail.</p>
+<div id="cell-7f64da9c" class="observablehq observablehq--block"></div>
+<div id="cell-02cc5429" class="observablehq observablehq--block"></div>
+<div id="cell-506a5b26" class="observablehq observablehq--block"></div>
+<div id="cell-4078d1e8" class="observablehq observablehq--block"></div>
+<div id="cell-4043aea7" class="observablehq observablehq--block"></div>
+<div id="cell-96f2427a" class="observablehq observablehq--block"></div>
+<div id="cell-57d7a0f9" class="observablehq observablehq--block"></div>
+<div id="cell-207b0b42" class="observablehq observablehq--block"></div>

test/output/fetch-parent-dir.json

@@ -0,0 +1,191 @@
+{
+  "data": null,
+  "title": "Parent dir",
+  "files": [
+    {
+      "name": "./NOENT.md",
+      "mimeType": "text/markdown"
+    },
+    {
+      "name": "./NOENT.md",
+      "mimeType": "text/markdown"
+    },
+    {
+      "name": "./tex-expression.md",
+      "mimeType": "text/markdown"
+    },
+    {
+      "name": "./tex-expression.md",
+      "mimeType": "text/markdown"
+    }
+  ],
+  "imports": [],
+  "pieces": [
+    {
+      "type": "html",
+      "id": "",
+      "cellIds": [],
+      "html": "<h1 id=\"parent-dir\" tabindex=\"-1\"><a class=\"observablehq-header-anchor\" href=\"#parent-dir\">Parent dir</a></h1>\n"
+    },
+    {
+      "type": "html",
+      "id": "",
+      "cellIds": [],
+      "html": "<p>Trying to fetch from the parent directory should fail.</p>\n"
+    },
+    {
+      "type": "html",
+      "id": "",
+      "cellIds": [
+        "7f64da9c"
+      ],
+      "html": "<div id=\"cell-7f64da9c\" class=\"observablehq observablehq--block\"></div>\n"
+    },
+    {
+      "type": "html",
+      "id": "",
+      "cellIds": [
+        "02cc5429"
+      ],
+      "html": "<div id=\"cell-02cc5429\" class=\"observablehq observablehq--block\"></div>\n"
+    },
+    {
+      "type": "html",
+      "id": "",
+      "cellIds": [
+        "506a5b26"
+      ],
+      "html": "<div id=\"cell-506a5b26\" class=\"observablehq observablehq--block\"></div>\n"
+    },
+    {
+      "type": "html",
+      "id": "",
+      "cellIds": [
+        "4078d1e8"
+      ],
+      "html": "<div id=\"cell-4078d1e8\" class=\"observablehq observablehq--block\"></div>\n"
+    },
+    {
+      "type": "html",
+      "id": "",
+      "cellIds": [
+        "4043aea7"
+      ],
+      "html": "<div id=\"cell-4043aea7\" class=\"observablehq observablehq--block\"></div>\n"
+    },
+    {
+      "type": "html",
+      "id": "",
+      "cellIds": [
+        "96f2427a"
+      ],
+      "html": "<div id=\"cell-96f2427a\" class=\"observablehq observablehq--block\"></div>\n"
+    },
+    {
+      "type": "html",
+      "id": "",
+      "cellIds": [
+        "57d7a0f9"
+      ],
+      "html": "<div id=\"cell-57d7a0f9\" class=\"observablehq observablehq--block\"></div>\n"
+    },
+    {
+      "type": "html",
+      "id": "",
+      "cellIds": [
+        "207b0b42"
+      ],
+      "html": "<div id=\"cell-207b0b42\" class=\"observablehq observablehq--block\"></div>\n"
+    }
+  ],
+  "cells": [
+    {
+      "type": "cell",
+      "id": "7f64da9c",
+      "outputs": [
+        "fail1"
+      ],
+      "body": "() => {\nconst fail1 = fetch(\"../NOENT.md\").then(d => d.text())\nreturn {fail1};\n}"
+    },
+    {
+      "type": "cell",
+      "id": "02cc5429",
+      "body": "() => { throw new SyntaxError(\"non-local file path: \\\"../NOENT.md\\\" (1:14)\"); }"
+    },
+    {
+      "type": "cell",
+      "id": "506a5b26",
+      "outputs": [
+        "fail3"
+      ],
+      "body": "() => {\nconst fail3 = fetch(\"../README.md\").then(d => d.text())\nreturn {fail3};\n}"
+    },
+    {
+      "type": "cell",
+      "id": "4078d1e8",
+      "body": "() => { throw new SyntaxError(\"non-local file path: \\\"../README.md\\\" (1:14)\"); }"
+    },
+    {
+      "type": "cell",
+      "id": "4043aea7",
+      "outputs": [
+        "fail5"
+      ],
+      "files": [
+        {
+          "name": "./NOENT.md",
+          "mimeType": "text/markdown"
+        }
+      ],
+      "body": "() => {\nconst fail5 = fetch(\"./_file/NOENT.md\").then(d => d.text())\nreturn {fail5};\n}"
+    },
+    {
+      "type": "cell",
+      "id": "96f2427a",
+      "inputs": [
+        "FileAttachment"
+      ],
+      "outputs": [
+        "fail6"
+      ],
+      "files": [
+        {
+          "name": "./NOENT.md",
+          "mimeType": "text/markdown"
+        }
+      ],
+      "body": "(FileAttachment) => {\nconst fail6 = FileAttachment(\"./NOENT.md\").text()\nreturn {fail6};\n}"
+    },
+    {
+      "type": "cell",
+      "id": "57d7a0f9",
+      "outputs": [
+        "ok1"
+      ],
+      "files": [
+        {
+          "name": "./tex-expression.md",
+          "mimeType": "text/markdown"
+        }
+      ],
+      "body": "() => {\nconst ok1 = fetch(\"./_file/tex-expression.md\").then(d => d.text())\nreturn {ok1};\n}"
+    },
+    {
+      "type": "cell",
+      "id": "207b0b42",
+      "inputs": [
+        "FileAttachment"
+      ],
+      "outputs": [
+        "ok2"
+      ],
+      "files": [
+        {
+          "name": "./tex-expression.md",
+          "mimeType": "text/markdown"
+        }
+      ],
+      "body": "(FileAttachment) => {\nconst ok2 = FileAttachment(\"./tex-expression.md\").text()\nreturn {ok2};\n}"
+    }
+  ]
+}

test/output/static-import-noent.js

@@ -0,0 +1,6 @@
+define({id: "0", inputs: ["display"], outputs: ["foo"], body: async (display) => {
+const {foo} = await import("/_import/noent.js");
+
+display(foo);
+return {foo};
+}});