git-watchtower 1.11.0 → 1.11.2
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/package.json +1 -1
- package/src/utils/browser.js +25 -2
- package/src/utils/version-check.js +21 -5
package/package.json
CHANGED
package/src/utils/browser.js
CHANGED
|
@@ -5,6 +5,22 @@
|
|
|
5
5
|
|
|
6
6
|
const { execFile } = require('child_process');
|
|
7
7
|
|
|
8
|
+
/**
|
|
9
|
+
* Validate that a string is a safe URL to pass to OS open commands.
|
|
10
|
+
* Rejects URLs containing shell metacharacters that could lead to
|
|
11
|
+
* command injection when passed through cmd.exe on Windows.
|
|
12
|
+
* @param {string} url
|
|
13
|
+
* @returns {boolean}
|
|
14
|
+
*/
|
|
15
|
+
function isSafeUrl(url) {
|
|
16
|
+
if (!url || typeof url !== 'string') return false;
|
|
17
|
+
// Must start with http://, https://, or file://
|
|
18
|
+
if (!/^https?:\/\/|^file:\/\//i.test(url)) return false;
|
|
19
|
+
// Reject shell metacharacters that cmd.exe would interpret
|
|
20
|
+
if (/[&|<>^"!%]/.test(url)) return false;
|
|
21
|
+
return true;
|
|
22
|
+
}
|
|
23
|
+
|
|
8
24
|
/**
|
|
9
25
|
* Open a URL in the user's default browser.
|
|
10
26
|
* Cross-platform: macOS (open), Windows (start), Linux (xdg-open).
|
|
@@ -13,6 +29,13 @@ const { execFile } = require('child_process');
|
|
|
13
29
|
* @param {function} [onError] - Optional error callback (receives Error)
|
|
14
30
|
*/
|
|
15
31
|
function openInBrowser(url, onError) {
|
|
32
|
+
if (!isSafeUrl(url)) {
|
|
33
|
+
if (onError) {
|
|
34
|
+
onError(new Error(`Refusing to open unsafe URL: ${url}`));
|
|
35
|
+
}
|
|
36
|
+
return;
|
|
37
|
+
}
|
|
38
|
+
|
|
16
39
|
const platform = process.platform;
|
|
17
40
|
let command;
|
|
18
41
|
let args;
|
|
@@ -22,7 +45,7 @@ function openInBrowser(url, onError) {
|
|
|
22
45
|
args = [url];
|
|
23
46
|
} else if (platform === 'win32') {
|
|
24
47
|
// On Windows, 'start' is a shell built-in, so we must use cmd.exe.
|
|
25
|
-
//
|
|
48
|
+
// URL is validated above to reject shell metacharacters.
|
|
26
49
|
command = 'cmd.exe';
|
|
27
50
|
args = ['/c', 'start', '', url];
|
|
28
51
|
} else {
|
|
@@ -37,4 +60,4 @@ function openInBrowser(url, onError) {
|
|
|
37
60
|
});
|
|
38
61
|
}
|
|
39
62
|
|
|
40
|
-
module.exports = { openInBrowser };
|
|
63
|
+
module.exports = { openInBrowser, isSafeUrl };
|
|
@@ -8,17 +8,33 @@ const { version: currentVersion } = require('../../package.json');
|
|
|
8
8
|
|
|
9
9
|
/**
|
|
10
10
|
* Compare two semver version strings
|
|
11
|
+
* Handles missing segments (treated as 0), >3-part versions,
|
|
12
|
+
* and prerelease suffixes (e.g. 1.8.0-beta.1 < 1.8.0).
|
|
11
13
|
* @param {string} a - First version (e.g. '1.8.0')
|
|
12
14
|
* @param {string} b - Second version (e.g. '1.7.0')
|
|
13
15
|
* @returns {number} 1 if a > b, -1 if a < b, 0 if equal
|
|
14
16
|
*/
|
|
15
17
|
function compareVersions(a, b) {
|
|
16
|
-
|
|
17
|
-
const
|
|
18
|
-
|
|
19
|
-
|
|
20
|
-
|
|
18
|
+
// Split off prerelease suffix (e.g. '1.8.0-beta.1' → core='1.8.0', pre='beta.1')
|
|
19
|
+
const [coreA, preA] = a.split('-', 2);
|
|
20
|
+
const [coreB, preB] = b.split('-', 2);
|
|
21
|
+
|
|
22
|
+
const pa = coreA.split('.').map(Number);
|
|
23
|
+
const pb = coreB.split('.').map(Number);
|
|
24
|
+
const len = Math.max(pa.length, pb.length);
|
|
25
|
+
|
|
26
|
+
for (let i = 0; i < len; i++) {
|
|
27
|
+
const na = pa[i] || 0;
|
|
28
|
+
const nb = pb[i] || 0;
|
|
29
|
+
if (na > nb) return 1;
|
|
30
|
+
if (na < nb) return -1;
|
|
21
31
|
}
|
|
32
|
+
|
|
33
|
+
// Core versions are equal — check prerelease.
|
|
34
|
+
// A version with a prerelease tag is less than one without (semver §11).
|
|
35
|
+
if (preA && !preB) return -1;
|
|
36
|
+
if (!preA && preB) return 1;
|
|
37
|
+
|
|
22
38
|
return 0;
|
|
23
39
|
}
|
|
24
40
|
|