fix: form builder + cms#118
Conversation
…ght report traces in biome.json
…ld configuration handling
|
The latest updates on your projects. Learn more about Vercel for GitHub.
|
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Security Assessment — No High-Confidence Vulnerabilities Found
Reviewed all changes introduced by this PR against the threat checklist. No exploitable vulnerabilities were identified. Findings by area:
content-form.tsx — Recursive injectCustomFieldTypes
The new recursive function walks prop.properties and items.properties to inject CMS-specific field components (file upload, relation picker). The recursion is bounded by the JSON Schema structure, which originates from the server-side content type configuration (a trusted, admin-controlled source). No user-supplied input directly drives the recursion depth, and JSON.parse cannot produce circular references, so stack-overflow DoS is not a realistic concern. The prop.fieldType and prop.relation values read from the schema are used only to select which React component to render — not to execute code or build queries — so there is no injection path here.
helpers.tsx — Array-item recursion in buildFieldConfigFromJsonSchema
The new items.properties branch mirrors the existing nested-object branch. The reservedProps guard prevents item-level property names from clobbering parent-level config (e.g., description, label, fieldType). The cast value.items as JsonSchemaProperty is safe because an array-typed items (tuple schema) would have no .properties, causing the block to silently skip — no security consequence.
inverse-relations-panel.tsx — humanizeFieldName / ambiguous
humanizeFieldName performs pure regex string transformations (strip trailing Id/Ids, split camelCase) on relation.fieldName, a server-supplied field name. The result is rendered as plain React text content — not as HTML — so there is no XSS vector. The pre-existing URL construction in handleAddNew (prefill_${relation.fieldName}=${itemId}) does not URL-encode its components; however, relation.fieldName is a schema-level identifier controlled by the application developer, and itemId is typically a UUID or opaque key. This pattern predates this PR and is a low-severity hardening opportunity rather than a new vulnerability.
New @btst/stack/plugins/blog/client/components export
Re-exports existing internal components (PostCard, PostsList, etc.) at a new public entry point. No new attack surface is introduced — these components were already reachable at runtime; only their TypeScript import path changes.
biome.json lint ignore
Adds !**/playwright-report-codegen/trace/** to the lint-ignore list. This is a tooling change and has no security impact.
Summary: All diff changes are constrained to client-side rendering logic driven by server-controlled schema data. No injection, authentication/authorization, secrets, XSS, SSRF, or supply-chain risks were introduced.
Sent by Cursor Automation: Find vulnerabilities
|
✅ Shadcn registry updated — registry JSON files were rebuilt and committed to this branch. |
1 participant
Summary
Type of change
Checklist
pnpm buildpassespnpm typecheckpassespnpm lintpassesdocs/content/docs/) if consumer-facing types or behavior changedScreenshots
Note
Medium Risk
Changes the CMS auto-form field-config generation and nested field-type injection (including arrays-of-objects), which can affect how existing admin forms render and validate. Also tweaks inverse-relation UI labeling and adds new public blog client exports, with moderate integration surface area.
Overview
Improves CMS auto-form support for arrays of objects by recursively propagating per-item
.meta()config (placeholders,fieldType, custom field components) from JSON Schemaitems.properties, with safeguards/warnings for reservedFieldConfigItemkey collisions and new unit coverage.Updates CMS
ContentFormto inject built-infileandrelationcomponents at any nesting depth (including inside array items), and tweaks the inverse-relations panel to disambiguate duplicate source-type sections by appending a humanized field name.Exposes additional blog client UI building blocks (e.g.
PostCard,PostsList,TagsList, skeletons, navigation, carousel) via a new@btst/stack/plugins/blog/client/componentsexport, bumps@btst/stackto2.11.5, and extends tooling/docs to cover repeating groups plus ignore generated Playwright codegen traces.Reviewed by Cursor Bugbot for commit 4da908f. Bugbot is set up for automated code reviews on this repo. Configure here.