fix: disable javascript execution in frontmatter (#1396)

## 🧰 Changes

Javascript execution in frontmatter could lead to security problems, so
disable it

## 🧬 QA & Testing

See tests. I verified that they fail without this patch applied:

```
 FAIL  __tests__/lib/frontmatter.test.ts > #readPage > should not execute JavaScript in frontmatter (RCE prevention)
AssertionError: expected { Object (title, malicious) } to deeply equal {}

- Expected
+ Received

- {}
+ {
+   "malicious": "executed",
+   "title": "Test",
+ }
+
+
```

Author: llimllib

__tests__/lib/frontmatter.test.ts

@@ -13,6 +13,7 @@ import DocsUploadCommand from '../../src/commands/docs/upload.js';
 import RefUploadCommand from '../../src/commands/reference/upload.js';
 import { fix, writeFixes } from '../../src/lib/frontmatter.js';
 import { emptyMappings, fetchSchema } from '../../src/lib/readmeAPIFetch.js';
+import { readPage } from '../../src/lib/readPage.js';
 import { setupOclifConfig } from '../helpers/oclif.js';
 
 describe.each([
@@ -350,3 +351,63 @@ describe('#writeFixes', () => {
     });
   });
 });
+
+describe('#readPage', () => {
+  let command: DocsUploadCommand;
+
+  beforeEach(async () => {
+    const oclifConfig = await setupOclifConfig();
+    command = new DocsUploadCommand([], oclifConfig);
+  });
+
+  afterEach(() => {
+    vi.restoreAllMocks();
+  });
+
+  it('should not execute JavaScript in frontmatter', () => {
+    const maliciousContent = `---js
+{
+  title: "Test",
+  malicious: (function() { 
+    // This should never execute
+    return "executed"; 
+  })()
+}
+---
+
+# Page content`;
+
+    const testFilePath = 'test-malicious.md';
+
+    // Mock the file system to return our malicious content
+    vi.spyOn(fs, 'readFileSync').mockReturnValue(maliciousContent);
+
+    const result = readPage.call(command, testFilePath);
+
+    // The data should be empty because we disabled the javascript engine
+    // by providing a parse function that returns an empty object
+    expect(result.data).toEqual({});
+    expect(result.content).toContain('# Page content');
+  });
+
+  it('should still parse regular YAML frontmatter', () => {
+    const normalContent = `---
+title: "Normal Page"
+category: some-category
+---
+
+# Page content`;
+
+    const testFilePath = 'test-normal.md';
+
+    vi.spyOn(fs, 'readFileSync').mockReturnValue(normalContent);
+
+    const result = readPage.call(command, testFilePath);
+
+    expect(result.data).toEqual({
+      title: 'Normal Page',
+      category: 'some-category',
+    });
+    expect(result.content).toContain('# Page content');
+  });
+});

src/lib/readPage.ts

@@ -60,7 +60,13 @@ export function readPage(
   // by default, grayMatter maintains a buggy cache with the page data,
   // so we pass an empty object as second argument to avoid it entirely
   // (so far we've seen this issue crop up in tests)
-  const matter = grayMatter(rawFileContents, {});
+  const matter = grayMatter(rawFileContents, {
+    // disable the javascript engine, which is a built-in RCE
+    //
+    // * @see https://github.com/readmeio/rdme/security/advisories/GHSA-f65r-8r74-m6v5
+    // * @see https://github.com/jonschlinkert/gray-matter/issues/131#issuecomment-3566662412
+    engines: { javascript: { parse: () => ({}) } },
+  });
   const { content, data } = matter;
   this.debug(`frontmatter for ${filePath}: ${JSON.stringify(matter)}`);