mirror of
https://github.com/Microsoft/vscode
synced 2024-08-28 05:19:39 +00:00
fix npm view exploits
This commit is contained in:
parent
8f12a39b62
commit
21276bad51
|
@ -252,11 +252,12 @@ export class PackageJSONContribution implements IJSONContribution {
|
|||
}
|
||||
|
||||
private isValidNPMName(name: string): boolean {
|
||||
// following rules from https://github.com/npm/validate-npm-package-name
|
||||
if (!name || name.length > 214 || name.match(/^[_.]/)) {
|
||||
// following rules from https://github.com/npm/validate-npm-package-name,
|
||||
// leading slash added as additional security measure
|
||||
if (!name || name.length > 214 || name.match(/^[-_.\s]/)) {
|
||||
return false;
|
||||
}
|
||||
const match = name.match(/^(?:@([^/]+?)[/])?([^/]+?)$/);
|
||||
const match = name.match(/^(?:@([^/~\s)('!*]+?)[/])?([^/~)('!*\s]+?)$/);
|
||||
if (match) {
|
||||
const scope = match[1];
|
||||
if (scope && encodeURIComponent(scope) !== scope) {
|
||||
|
@ -284,7 +285,7 @@ export class PackageJSONContribution implements IJSONContribution {
|
|||
|
||||
private npmView(npmCommandPath: string, pack: string, resource: Uri | undefined): Promise<ViewPackageInfo | undefined> {
|
||||
return new Promise((resolve, _reject) => {
|
||||
const args = ['view', '--json', pack, 'description', 'dist-tags.latest', 'homepage', 'version', 'time'];
|
||||
const args = ['view', '--json', '--', pack, 'description', 'dist-tags.latest', 'homepage', 'version', 'time'];
|
||||
const cwd = resource && resource.scheme === 'file' ? dirname(resource.fsPath) : undefined;
|
||||
cp.execFile(npmCommandPath, args, { cwd }, (error, stdout) => {
|
||||
if (!error) {
|
||||
|
|
|
@ -97,7 +97,7 @@ export async function activate(context: vscode.ExtensionContext): Promise<void>
|
|||
}
|
||||
|
||||
async function getNPMCommandPath(): Promise<string | undefined> {
|
||||
if (canRunNpmInCurrentWorkspace()) {
|
||||
if (vscode.workspace.isTrusted && canRunNpmInCurrentWorkspace()) {
|
||||
try {
|
||||
return await which(process.platform === 'win32' ? 'npm.cmd' : 'npm');
|
||||
} catch (e) {
|
||||
|
|
Loading…
Reference in a new issue