@n8n/scan-community-package 0.2.0 → 0.3.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (2) hide show
  1. package/package.json +1 -1
  2. package/scanner/scanner.mjs +19 -4
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@n8n/scan-community-package",
3
- "version": "0.2.0",
3
+ "version": "0.3.0",
4
4
  "description": "Static code analyser for n8n community packages",
5
5
  "license": "SEE LICENSE IN LICENSE.md",
6
6
  "bin": "scanner/cli.mjs",
package/scanner/scanner.mjs CHANGED
@@ -3,7 +3,7 @@
3
3
  import fs from "fs";
4
4
  import path from "path";
5
5
  import { ESLint } from "eslint";
6
- import { execSync } from "child_process";
6
+ import { spawnSync } from "child_process";
7
7
  import tmp from "tmp";
8
8
  import semver from "semver";
9
9
  import axios from "axios";
@@ -19,6 +19,11 @@ const TEMP_DIR = tmp.dirSync({ unsafeCleanup: true }).name;
19
19
  const registry = "https://registry.npmjs.org/";
20
20
 
21
21
  export const resolvePackage = (packageSpec) => {
22
+ // Validate input to prevent command injection
23
+ if (!/^[a-zA-Z0-9@/_.-]+$/.test(packageSpec)) {
24
+ throw new Error('Invalid package specification');
25
+ }
26
+
22
27
  let packageName, version;
23
28
  if (packageSpec.startsWith("@")) {
24
29
  if (packageSpec.includes("@", 1)) {
@@ -40,8 +45,14 @@ export const resolvePackage = (packageSpec) => {
40
45
 
41
46
  const downloadAndExtractPackage = async (packageName, version) => {
42
47
  try {
43
- // Download the tarball
44
- execSync(`npm -q pack ${packageName}@${version}`, { cwd: TEMP_DIR });
48
+ // Download the tarball using safe arguments
49
+ const npmResult = spawnSync('npm', ['-q', 'pack', `${packageName}@${version}`], {
50
+ cwd: TEMP_DIR,
51
+ stdio: 'pipe'
52
+ });
53
+ if (npmResult.status !== 0) {
54
+ throw new Error(`npm pack failed: ${npmResult.stderr?.toString()}`);
55
+ }
45
56
  const tarballName = fs
46
57
  .readdirSync(TEMP_DIR)
47
58
  .find((file) => file.endsWith(".tgz"));
@@ -52,9 +63,13 @@ const downloadAndExtractPackage = async (packageName, version) => {
52
63
  // Unpack the tarball
53
64
  const packageDir = path.join(TEMP_DIR, `${packageName}-${version}`);
54
65
  fs.mkdirSync(packageDir, { recursive: true });
55
- execSync(`tar -xzf ${tarballName} -C ${packageDir} --strip-components=1`, {
66
+ const tarResult = spawnSync('tar', ['-xzf', tarballName, '-C', packageDir, '--strip-components=1'], {
56
67
  cwd: TEMP_DIR,
68
+ stdio: 'pipe'
57
69
  });
70
+ if (tarResult.status !== 0) {
71
+ throw new Error(`tar extraction failed: ${tarResult.stderr?.toString()}`);
72
+ }
58
73
  fs.unlinkSync(path.join(TEMP_DIR, tarballName));
59
74
 
60
75
  return packageDir;