ohos-playwright 0.2.5 → 0.2.6

package/dist/setup.mjs

@@ -8,6 +8,16 @@ import { INFO_PATH } from "./info-path.mjs";
 const HDC = process.env.OHOS_PW_HDC ?? '/data/service/hnp/bin/hdc';
 const BUNDLE = process.env.OHOS_PW_BUNDLE ?? 'com.huawei.hmos.browser';
 const LAUNCH_URL = process.env.OHOS_PW_LAUNCH_URL ?? 'about:blank';
+// 校验环境变量，防止通过 hdc shell 注入恶意命令。
+// BUNDLE 必须是点分隔的 Android 风格包名；LAUNCH_URL 必须是合法 URL。
+const SAFE_BUNDLE_RE = /^[a-zA-Z][a-zA-Z0-9.]*$/;
+const SAFE_URL_RE = /^[a-z][a-z0-9+.-]*:(?:\/\/)?\S+$/i;
+if (!SAFE_BUNDLE_RE.test(BUNDLE) || BUNDLE.length > 256) {
+    throw new Error(`[ohos-playwright] OHOS_PW_BUNDLE "${BUNDLE}" 不是合法的包名（期望: com.example.app）`);
+}
+if (!SAFE_URL_RE.test(LAUNCH_URL) || LAUNCH_URL.length > 2048) {
+    throw new Error(`[ohos-playwright] OHOS_PW_LAUNCH_URL "${LAUNCH_URL}" 不是合法的 URL`);
+}
 const HDC_OPTS = { encoding: 'utf8', stdio: ['ignore', 'pipe', 'pipe'] };
 function hdc(args, opts) {
     return String(execFileSync(HDC, args, { ...HDC_OPTS, ...opts })).trim();
@@ -208,7 +218,13 @@ export default async function globalSetup() {
     const probe = await probeCdp(port);
     if (!probe.ok)
         throw new Error(`CDP probe failed: ${probe.err || probe.body}`);
-    const info = JSON.parse(probe.body);
+    let info;
+    try {
+        info = JSON.parse(probe.body);
+    }
+    catch {
+        throw new Error(`CDP response is not valid JSON (body preview: ${probe.body?.slice(0, 300) ?? '(empty)'})`);
+    }
     console.log(`[ohos-playwright] CDP ready: ${info.Browser}`);
     mkdirSync(dirname(INFO_PATH), { recursive: true });
     writeFileSync(INFO_PATH, JSON.stringify({ port, pid, socket, endpoint: `http://127.0.0.1:${port}` }, null, 2));

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ohos-playwright",
-  "version": "0.2.5",
+  "version": "0.2.6",
   "description": "Playwright adapter for OpenHarmony / ArkWeb via hdc + CDP",
   "license": "MIT",
   "author": "social4hyq",