fix(security): disable executable gray-matter frontmatter in commands

2026-03-14 02:17:27 +00:00 · 2026-03-11 22:04:38 +00:00
parent a116b95199
commit b9c902b016
3 changed files with 24 additions and 6 deletions
--- a/server/utils/frontmatter.js
+++ b/server/utils/frontmatter.js
@@ -0,0 +1,18 @@
+import matter from 'gray-matter';
+
+const disabledFrontmatterEngine = () => ({});
+
+const frontmatterOptions = {
+  language: 'yaml',
+  // Disable JS/JSON frontmatter parsing to avoid executable project content.
+  // Mirrors Gatsby's mitigation for gray-matter.
+  engines: {
+    js: disabledFrontmatterEngine,
+    javascript: disabledFrontmatterEngine,
+    json: disabledFrontmatterEngine
+  }
+};
+
+export function parseFrontmatter(content) {
+  return matter(content, frontmatterOptions);
+}