Implement allow/denyList when loading/installing modules

2025-03-01 10:36:34 +00:00 · 2020-12-27 12:49:17 +00:00
parent fc459be531
commit aacb92a7ae
6 changed files with 191 additions and 27 deletions
--- a/packages/node_modules/@node-red/registry/lib/util.js
+++ b/packages/node_modules/@node-red/registry/lib/util.js
@@ -15,6 +15,7 @@
 **/

 const path = require("path");
+const semver = require("semver");
 const {events,i18n,log} = require("@node-red/util");
 var runtime;

@@ -104,9 +105,78 @@ function createNodeApi(node) {
    return red;
 }

+
+function checkAgainstList(module,version,list) {
+    for (let i=0;i<list.length;i++) {
+        let rule = list[i];
+        if (rule.module.test(module)) {
+            if (version && rule.version) {
+                if (semver.satisfies(version,rule.version)) {
+                    return rule;
+                }
+            } else {
+                return rule;
+            }
+        }
+    }
+}
+
+function checkModuleAllowed(module,version,allowList,denyList) {
+    // console.log("checkModuleAllowed",module,version);//,allowList,denyList)
+    if (!allowList && !denyList) {
+        // Default to allow
+        return true;
+    }
+    if (allowList.length === 0 && denyList.length === 0) {
+        return true;
+    }
+
+    var allowedRule = checkAgainstList(module,version,allowList);
+    var deniedRule = checkAgainstList(module,version,denyList);
+    // console.log("A",allowedRule)
+    // console.log("D",deniedRule)
+
+    if (allowedRule && !deniedRule) {
+        return true;
+    }
+    if (!allowedRule && deniedRule) {
+        return false;
+    }
+    if (!allowedRule && !deniedRule) {
+        return true;
+    }
+    if (allowedRule.wildcardPos !== deniedRule.wildcardPos) {
+        return allowedRule.wildcardPos > deniedRule.wildcardPos
+    } else {
+        // First wildcard in same position.
+        // Go with the longer matching rule. This isn't going to be 100%
+        // right, but we are deep into edge cases at this point.
+        return allowedRule.module.toString().length > deniedRule.module.toString().length
+    }
+    return false;
+}
+
+function parseModuleList(list) {
+    list = list || ["*"];
+    return list.map(rule => {
+        let m = /^(.+?)(?:@(.*))?$/.exec(rule);
+        let wildcardPos = m[1].indexOf("*");
+        wildcardPos = wildcardPos===-1?Infinity:wildcardPos;
+
+        return {
+            module: new RegExp("^"+m[1].replace(/\*/g,".*")+"$"),
+            version: m[2],
+            wildcardPos: wildcardPos
+        }
+    })
+}
+
+
 module.exports = {
    init: function(_runtime) {
        runtime = _runtime;
    },
-    createNodeApi: createNodeApi
+    createNodeApi: createNodeApi,
+    parseModuleList: parseModuleList,
+    checkModuleAllowed: checkModuleAllowed
 }