vndangkhoa/open-design
1
0
Fork 0
mirror of https://github.com/nexu-io/open-design.git synced 2026-05-31 19:04:39 +07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

fix(daemon): reject unsafe plugin manifest names (#2757)

Browse source 
Co-authored-by: Zerocracy Assistant <zerocracy-assistant@example.com>
This commit is contained in:
999axel999 2026-05-23 11:53:39 +07:00 committed by GitHub
parent a37d11fe72
commit db90cb0bdb
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
2 changed files with 40 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

7
apps/daemon/src/server.ts
View file

@ -1778,6 +1778,11 @@ async function readProjectPluginManifest(folder) {
const name = typeof manifest.name === 'string' && manifest.name.trim()
? manifest.name.trim()
: path.basename(folder);
if (/[/\\]/.test(name) || /^\.+$/.test(name)) {
throw new Error(
`open-design.json in ${folder}: name "${name}" must not contain path separators or consist only of dots`,
);
}
return {
name,
title: typeof manifest.title === 'string' ? manifest.title : name,
@ -1786,6 +1791,8 @@ async function readProjectPluginManifest(folder) {
};
}
export const __forTestReadProjectPluginManifest = readProjectPluginManifest;
function githubRepoNameFromPluginName(name) {
const slug = String(name)
.toLowerCase()

33
apps/daemon/tests/project-plugin-manifest.test.ts Normal file
View file

@ -0,0 +1,33 @@
import { mkdtemp, rm, writeFile } from 'node:fs/promises';
import { tmpdir } from 'node:os';
import path from 'node:path';
import { describe, expect, it } from 'vitest';
import { __forTestReadProjectPluginManifest } from '../src/server.js';
describe('readProjectPluginManifest', () => {
async function withManifest(name: string, fn: (folder: string) => Promise<void>) {
const folder = await mkdtemp(path.join(tmpdir(), 'od-plugin-manifest-'));
try {
await writeFile(path.join(folder, 'open-design.json'), JSON.stringify({ name }), 'utf8');
await fn(folder);
} finally {
await rm(folder, { recursive: true, force: true });
}
}
it.each(['../evil', '..\\\\evil', '.', '..'])('rejects unsafe manifest name %s', async (name) => {
await withManifest(name, async (folder) => {
await expect(__forTestReadProjectPluginManifest(folder)).rejects.toThrow(
/must not contain path separators or consist only of dots/,
);
});
});
it('allows ordinary plugin names with dots', async () => {
await withManifest('my-plugin.v2', async (folder) => {
await expect(__forTestReadProjectPluginManifest(folder)).resolves.toMatchObject({
name: 'my-plugin.v2',
});
});
});
});