development/vscode
development/vscode
1
0
Fork 0
mirror of https://github.com/Microsoft/vscode synced 2024-08-27 21:09:43 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix npm view exploits

Browse source
This commit is contained in:
Martin Aeschlimann 2023-08-22 12:42:30 +02:00 committed by Christof Marti
parent 8f12a39b62
commit 21276bad51
2 changed files with 6 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
extensions/npm/src/features/packageJSONContribution.ts
View file

@ -252,11 +252,12 @@ export class PackageJSONContribution implements IJSONContribution {
} }
private isValidNPMName(name: string): boolean { private isValidNPMName(name: string): boolean {
// following rules from https://github.com/npm/validate-npm-package-name // following rules from https://github.com/npm/validate-npm-package-name,
if (!name || name.length > 214 || name.match(/^[_.]/)) { // leading slash added as additional security measure
if (!name || name.length > 214 || name.match(/^[-_.\s]/)) {
return false; return false;
} }
const match = name.match(/^(?:@([^/]+?)[/])?([^/]+?)$/); const match = name.match(/^(?:@([^/~\s)('!*]+?)[/])?([^/~)('!*\s]+?)$/);
if (match) { if (match) {
const scope = match[1]; const scope = match[1];
if (scope && encodeURIComponent(scope) !== scope) { if (scope && encodeURIComponent(scope) !== scope) {
@ -284,7 +285,7 @@ export class PackageJSONContribution implements IJSONContribution {
private npmView(npmCommandPath: string, pack: string, resource: Uri | undefined): Promise<ViewPackageInfo | undefined> { private npmView(npmCommandPath: string, pack: string, resource: Uri | undefined): Promise<ViewPackageInfo | undefined> {
return new Promise((resolve, _reject) => { return new Promise((resolve, _reject) => {
const args = ['view', '--json', pack, 'description', 'dist-tags.latest', 'homepage', 'version', 'time']; const args = ['view', '--json', '--', pack, 'description', 'dist-tags.latest', 'homepage', 'version', 'time'];
const cwd = resource && resource.scheme === 'file' ? dirname(resource.fsPath) : undefined; const cwd = resource && resource.scheme === 'file' ? dirname(resource.fsPath) : undefined;
cp.execFile(npmCommandPath, args, { cwd }, (error, stdout) => { cp.execFile(npmCommandPath, args, { cwd }, (error, stdout) => {
if (!error) { if (!error) {

2
extensions/npm/src/npmMain.ts
View file

@ -97,7 +97,7 @@ export async function activate(context: vscode.ExtensionContext): Promise<void>
} }
async function getNPMCommandPath(): Promise<string | undefined> { async function getNPMCommandPath(): Promise<string | undefined> {
if (canRunNpmInCurrentWorkspace()) { if (vscode.workspace.isTrusted && canRunNpmInCurrentWorkspace()) {
try { try {
return await which(process.platform === 'win32' ? 'npm.cmd' : 'npm'); return await which(process.platform === 'win32' ? 'npm.cmd' : 'npm');
} catch (e) { } catch (e) {