From e7b339721792056cee11c11afc69df71a0a85d59 Mon Sep 17 00:00:00 2001 From: Martin Aeschlimann Date: Tue, 22 Aug 2023 12:42:30 +0200 Subject: [PATCH] fix npm view exploits --- extensions/npm/src/features/packageJSONContribution.ts | 9 +++++---- extensions/npm/src/npmMain.ts | 2 +- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/extensions/npm/src/features/packageJSONContribution.ts b/extensions/npm/src/features/packageJSONContribution.ts index 5a9250d97def4..f231837167321 100644 --- a/extensions/npm/src/features/packageJSONContribution.ts +++ b/extensions/npm/src/features/packageJSONContribution.ts @@ -252,11 +252,12 @@ export class PackageJSONContribution implements IJSONContribution { } private isValidNPMName(name: string): boolean { - // following rules from https://github.com/npm/validate-npm-package-name - if (!name || name.length > 214 || name.match(/^[_.]/)) { + // following rules from https://github.com/npm/validate-npm-package-name, + // leading slash added as additional security measure + if (!name || name.length > 214 || name.match(/^[-_.\s]/)) { return false; } - const match = name.match(/^(?:@([^/]+?)[/])?([^/]+?)$/); + const match = name.match(/^(?:@([^/~\s)('!*]+?)[/])?([^/~)('!*\s]+?)$/); if (match) { const scope = match[1]; if (scope && encodeURIComponent(scope) !== scope) { @@ -284,7 +285,7 @@ export class PackageJSONContribution implements IJSONContribution { private npmView(npmCommandPath: string, pack: string, resource: Uri | undefined): Promise { return new Promise((resolve, _reject) => { - const args = ['view', '--json', pack, 'description', 'dist-tags.latest', 'homepage', 'version', 'time']; + const args = ['view', '--json', '--', pack, 'description', 'dist-tags.latest', 'homepage', 'version', 'time']; const cwd = resource && resource.scheme === 'file' ? dirname(resource.fsPath) : undefined; cp.execFile(npmCommandPath, args, { cwd }, (error, stdout) => { if (!error) { diff --git a/extensions/npm/src/npmMain.ts b/extensions/npm/src/npmMain.ts index a066aac1e9667..d03a72a72fcae 100644 --- a/extensions/npm/src/npmMain.ts +++ b/extensions/npm/src/npmMain.ts @@ -97,7 +97,7 @@ export async function activate(context: vscode.ExtensionContext): Promise } async function getNPMCommandPath(): Promise { - if (canRunNpmInCurrentWorkspace()) { + if (vscode.workspace.isTrusted && canRunNpmInCurrentWorkspace()) { try { return await which(process.platform === 'win32' ? 'npm.cmd' : 'npm'); } catch (e) {