@nocobase/server 2.1.0-beta.25 → 2.1.0-beta.26
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
|
@@ -17,6 +17,8 @@ import Application from '../application';
|
|
|
17
17
|
* getTempDir() => '/tmp/nocobase'
|
|
18
18
|
*/
|
|
19
19
|
export declare function getTempDir(): Promise<string>;
|
|
20
|
+
export declare function assertSafePluginPackageName(packageName: string): void;
|
|
21
|
+
export declare function resolveSafeChildPath(baseDir: string, child: string): string;
|
|
20
22
|
export declare function getLocalPluginPackagesPathArr(): string[];
|
|
21
23
|
export declare function getStoragePluginDir(packageName: string): string;
|
|
22
24
|
export declare function getLocalPluginDir(packageDirBasename: string): string;
|
|
@@ -37,6 +37,7 @@ var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__ge
|
|
|
37
37
|
var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
|
|
38
38
|
var utils_exports = {};
|
|
39
39
|
__export(utils_exports, {
|
|
40
|
+
assertSafePluginPackageName: () => assertSafePluginPackageName,
|
|
40
41
|
checkAndGetCompatible: () => checkAndGetCompatible,
|
|
41
42
|
checkCompatible: () => checkCompatible,
|
|
42
43
|
copyTempPackageToStorageAndLinkToNodeModules: () => copyTempPackageToStorageAndLinkToNodeModules,
|
|
@@ -71,6 +72,7 @@ __export(utils_exports, {
|
|
|
71
72
|
removeTmpDir: () => removeTmpDir,
|
|
72
73
|
requireModule: () => requireModule,
|
|
73
74
|
requireNoCache: () => requireNoCache,
|
|
75
|
+
resolveSafeChildPath: () => resolveSafeChildPath,
|
|
74
76
|
updatePluginByCompressedFileUrl: () => updatePluginByCompressedFileUrl
|
|
75
77
|
});
|
|
76
78
|
module.exports = __toCommonJS(utils_exports);
|
|
@@ -96,6 +98,34 @@ async function getTempDir() {
|
|
|
96
98
|
return import_path.default.join(temporaryDirectory, import_constants.APP_NAME);
|
|
97
99
|
}
|
|
98
100
|
__name(getTempDir, "getTempDir");
|
|
101
|
+
function assertSafePluginPackageName(packageName) {
|
|
102
|
+
if (!packageName || typeof packageName !== "string") {
|
|
103
|
+
throw new Error("Invalid plugin package name");
|
|
104
|
+
}
|
|
105
|
+
if (packageName.includes("\0")) {
|
|
106
|
+
throw new Error("Invalid plugin package name");
|
|
107
|
+
}
|
|
108
|
+
if (import_path.default.isAbsolute(packageName)) {
|
|
109
|
+
throw new Error("Invalid plugin package name");
|
|
110
|
+
}
|
|
111
|
+
if (packageName.includes("..") || packageName.includes("\\")) {
|
|
112
|
+
throw new Error("Invalid plugin package name");
|
|
113
|
+
}
|
|
114
|
+
const valid = /^(?:@[a-z0-9][a-z0-9._-]*\/)?[a-z0-9][a-z0-9._-]*$/i.test(packageName);
|
|
115
|
+
if (!valid) {
|
|
116
|
+
throw new Error("Invalid plugin package name");
|
|
117
|
+
}
|
|
118
|
+
}
|
|
119
|
+
__name(assertSafePluginPackageName, "assertSafePluginPackageName");
|
|
120
|
+
function resolveSafeChildPath(baseDir, child) {
|
|
121
|
+
const resolvedBase = import_path.default.resolve(baseDir);
|
|
122
|
+
const resolvedTarget = import_path.default.resolve(baseDir, child);
|
|
123
|
+
if (resolvedTarget !== resolvedBase && !resolvedTarget.startsWith(`${resolvedBase}${import_path.default.sep}`)) {
|
|
124
|
+
throw new Error("Path traversal detected");
|
|
125
|
+
}
|
|
126
|
+
return resolvedTarget;
|
|
127
|
+
}
|
|
128
|
+
__name(resolveSafeChildPath, "resolveSafeChildPath");
|
|
99
129
|
function getLocalPluginPackagesPathArr() {
|
|
100
130
|
const pluginPackagesPathArr = process.env.PLUGIN_PATH || import_constants.DEFAULT_PLUGIN_PATH;
|
|
101
131
|
return pluginPackagesPathArr.split(",").map((pluginPackagesPath) => {
|
|
@@ -106,7 +136,8 @@ function getLocalPluginPackagesPathArr() {
|
|
|
106
136
|
__name(getLocalPluginPackagesPathArr, "getLocalPluginPackagesPathArr");
|
|
107
137
|
function getStoragePluginDir(packageName) {
|
|
108
138
|
const pluginStoragePath = (0, import_utils.resolvePluginStoragePath)();
|
|
109
|
-
|
|
139
|
+
assertSafePluginPackageName(packageName);
|
|
140
|
+
return resolveSafeChildPath(pluginStoragePath, packageName);
|
|
110
141
|
}
|
|
111
142
|
__name(getStoragePluginDir, "getStoragePluginDir");
|
|
112
143
|
function getLocalPluginDir(packageDirBasename) {
|
|
@@ -118,7 +149,8 @@ function getLocalPluginDir(packageDirBasename) {
|
|
|
118
149
|
}
|
|
119
150
|
__name(getLocalPluginDir, "getLocalPluginDir");
|
|
120
151
|
function getNodeModulesPluginDir(packageName) {
|
|
121
|
-
|
|
152
|
+
assertSafePluginPackageName(packageName);
|
|
153
|
+
return resolveSafeChildPath(process.env.NODE_MODULES_PATH, packageName);
|
|
122
154
|
}
|
|
123
155
|
__name(getNodeModulesPluginDir, "getNodeModulesPluginDir");
|
|
124
156
|
function getAuthorizationHeaders(registry, authToken) {
|
|
@@ -551,6 +583,7 @@ async function pmListSummary(app) {
|
|
|
551
583
|
__name(pmListSummary, "pmListSummary");
|
|
552
584
|
// Annotate the CommonJS export names for ESM import in node:
|
|
553
585
|
0 && (module.exports = {
|
|
586
|
+
assertSafePluginPackageName,
|
|
554
587
|
checkAndGetCompatible,
|
|
555
588
|
checkCompatible,
|
|
556
589
|
copyTempPackageToStorageAndLinkToNodeModules,
|
|
@@ -585,5 +618,6 @@ __name(pmListSummary, "pmListSummary");
|
|
|
585
618
|
removeTmpDir,
|
|
586
619
|
requireModule,
|
|
587
620
|
requireNoCache,
|
|
621
|
+
resolveSafeChildPath,
|
|
588
622
|
updatePluginByCompressedFileUrl
|
|
589
623
|
});
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@nocobase/server",
|
|
3
|
-
"version": "2.1.0-beta.
|
|
3
|
+
"version": "2.1.0-beta.26",
|
|
4
4
|
"main": "lib/index.js",
|
|
5
5
|
"types": "./lib/index.d.ts",
|
|
6
6
|
"license": "Apache-2.0",
|
|
@@ -10,21 +10,21 @@
|
|
|
10
10
|
"@koa/cors": "^5.0.0",
|
|
11
11
|
"@koa/multer": "^3.1.0",
|
|
12
12
|
"@koa/router": "^13.1.0",
|
|
13
|
-
"@nocobase/acl": "2.1.0-beta.
|
|
14
|
-
"@nocobase/actions": "2.1.0-beta.
|
|
15
|
-
"@nocobase/ai": "2.1.0-beta.
|
|
16
|
-
"@nocobase/auth": "2.1.0-beta.
|
|
17
|
-
"@nocobase/cache": "2.1.0-beta.
|
|
18
|
-
"@nocobase/data-source-manager": "2.1.0-beta.
|
|
19
|
-
"@nocobase/database": "2.1.0-beta.
|
|
20
|
-
"@nocobase/evaluators": "2.1.0-beta.
|
|
21
|
-
"@nocobase/lock-manager": "2.1.0-beta.
|
|
22
|
-
"@nocobase/logger": "2.1.0-beta.
|
|
23
|
-
"@nocobase/resourcer": "2.1.0-beta.
|
|
24
|
-
"@nocobase/sdk": "2.1.0-beta.
|
|
25
|
-
"@nocobase/snowflake-id": "2.1.0-beta.
|
|
26
|
-
"@nocobase/telemetry": "2.1.0-beta.
|
|
27
|
-
"@nocobase/utils": "2.1.0-beta.
|
|
13
|
+
"@nocobase/acl": "2.1.0-beta.26",
|
|
14
|
+
"@nocobase/actions": "2.1.0-beta.26",
|
|
15
|
+
"@nocobase/ai": "2.1.0-beta.26",
|
|
16
|
+
"@nocobase/auth": "2.1.0-beta.26",
|
|
17
|
+
"@nocobase/cache": "2.1.0-beta.26",
|
|
18
|
+
"@nocobase/data-source-manager": "2.1.0-beta.26",
|
|
19
|
+
"@nocobase/database": "2.1.0-beta.26",
|
|
20
|
+
"@nocobase/evaluators": "2.1.0-beta.26",
|
|
21
|
+
"@nocobase/lock-manager": "2.1.0-beta.26",
|
|
22
|
+
"@nocobase/logger": "2.1.0-beta.26",
|
|
23
|
+
"@nocobase/resourcer": "2.1.0-beta.26",
|
|
24
|
+
"@nocobase/sdk": "2.1.0-beta.26",
|
|
25
|
+
"@nocobase/snowflake-id": "2.1.0-beta.26",
|
|
26
|
+
"@nocobase/telemetry": "2.1.0-beta.26",
|
|
27
|
+
"@nocobase/utils": "2.1.0-beta.26",
|
|
28
28
|
"@types/decompress": "4.2.7",
|
|
29
29
|
"@types/ini": "^1.3.31",
|
|
30
30
|
"@types/koa-send": "^4.1.3",
|
|
@@ -42,7 +42,7 @@
|
|
|
42
42
|
"fs-extra": "^11.1.1",
|
|
43
43
|
"i18next": "^22.4.9",
|
|
44
44
|
"ini": "^4.1.1",
|
|
45
|
-
"koa": "^2.
|
|
45
|
+
"koa": "^3.2.0",
|
|
46
46
|
"koa-bodyparser": "^4.3.0",
|
|
47
47
|
"koa-send": "^5.0.1",
|
|
48
48
|
"koa-static": "^5.0.0",
|
|
@@ -61,5 +61,5 @@
|
|
|
61
61
|
"@types/serve-handler": "^6.1.1",
|
|
62
62
|
"@types/ws": "^8.5.5"
|
|
63
63
|
},
|
|
64
|
-
"gitHead": "
|
|
64
|
+
"gitHead": "b17e1a72057813fa27d8435bf0f2af67ea4b059f"
|
|
65
65
|
}
|