mirror of
https://github.com/Microsoft/vscode
synced 2024-08-27 21:09:43 +00:00
fix npm view exploits
This commit is contained in:
parent
8f12a39b62
commit
21276bad51
|
@ -252,11 +252,12 @@ export class PackageJSONContribution implements IJSONContribution {
|
||||||
}
|
}
|
||||||
|
|
||||||
private isValidNPMName(name: string): boolean {
|
private isValidNPMName(name: string): boolean {
|
||||||
// following rules from https://github.com/npm/validate-npm-package-name
|
// following rules from https://github.com/npm/validate-npm-package-name,
|
||||||
if (!name || name.length > 214 || name.match(/^[_.]/)) {
|
// leading slash added as additional security measure
|
||||||
|
if (!name || name.length > 214 || name.match(/^[-_.\s]/)) {
|
||||||
return false;
|
return false;
|
||||||
}
|
}
|
||||||
const match = name.match(/^(?:@([^/]+?)[/])?([^/]+?)$/);
|
const match = name.match(/^(?:@([^/~\s)('!*]+?)[/])?([^/~)('!*\s]+?)$/);
|
||||||
if (match) {
|
if (match) {
|
||||||
const scope = match[1];
|
const scope = match[1];
|
||||||
if (scope && encodeURIComponent(scope) !== scope) {
|
if (scope && encodeURIComponent(scope) !== scope) {
|
||||||
|
@ -284,7 +285,7 @@ export class PackageJSONContribution implements IJSONContribution {
|
||||||
|
|
||||||
private npmView(npmCommandPath: string, pack: string, resource: Uri | undefined): Promise<ViewPackageInfo | undefined> {
|
private npmView(npmCommandPath: string, pack: string, resource: Uri | undefined): Promise<ViewPackageInfo | undefined> {
|
||||||
return new Promise((resolve, _reject) => {
|
return new Promise((resolve, _reject) => {
|
||||||
const args = ['view', '--json', pack, 'description', 'dist-tags.latest', 'homepage', 'version', 'time'];
|
const args = ['view', '--json', '--', pack, 'description', 'dist-tags.latest', 'homepage', 'version', 'time'];
|
||||||
const cwd = resource && resource.scheme === 'file' ? dirname(resource.fsPath) : undefined;
|
const cwd = resource && resource.scheme === 'file' ? dirname(resource.fsPath) : undefined;
|
||||||
cp.execFile(npmCommandPath, args, { cwd }, (error, stdout) => {
|
cp.execFile(npmCommandPath, args, { cwd }, (error, stdout) => {
|
||||||
if (!error) {
|
if (!error) {
|
||||||
|
|
|
@ -97,7 +97,7 @@ export async function activate(context: vscode.ExtensionContext): Promise<void>
|
||||||
}
|
}
|
||||||
|
|
||||||
async function getNPMCommandPath(): Promise<string | undefined> {
|
async function getNPMCommandPath(): Promise<string | undefined> {
|
||||||
if (canRunNpmInCurrentWorkspace()) {
|
if (vscode.workspace.isTrusted && canRunNpmInCurrentWorkspace()) {
|
||||||
try {
|
try {
|
||||||
return await which(process.platform === 'win32' ? 'npm.cmd' : 'npm');
|
return await which(process.platform === 'win32' ? 'npm.cmd' : 'npm');
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
|
|
Loading…
Reference in a new issue