Add some proper validation of module/url properties in install api

2025-03-01 10:36:34 +00:00 · 2020-06-03 10:45:28 +01:00
parent 6d737b9e4c
commit b6b3ceef4d
3 changed files with 59 additions and 24 deletions
--- a/packages/node_modules/@node-red/registry/lib/installer.js
+++ b/packages/node_modules/@node-red/registry/lib/installer.js
@@ -30,7 +30,7 @@ var npmCommand = process.platform === 'win32' ? 'npm.cmd' : 'npm';
 var paletteEditorEnabled = false;

 var settings;
-var moduleRe = /^(@[^/]+?[/])?[^/]+?$/;
+var moduleRe = /^(@[^/@]+?[/])?[^/@]+?$/;
 var slashRe = process.platform === "win32" ? /\\|[/]/ : /[/]/;
 var pkgurlRe = /^(https?|git(|\+https?|\+ssh|\+file)):\/\//;

@@ -78,15 +78,24 @@ function checkExistingModule(module,version) {
    return false;
 }
 function installModule(module,version,url) {
+    module = module || "";
    activePromise = activePromise.then(() => {
        //TODO: ensure module is 'safe'
        return new Promise((resolve,reject) => {
            var installName = module;
            var isUpgrade = false;
            try {
-                if (url && pkgurlRe.test(url)) { 
-                    // Git remote url or Tarball url - check the valid package url
-                    installName = url;
+                if (url) {
+                    if (pkgurlRe.test(url)) {
+                        // Git remote url or Tarball url - check the valid package url
+                        installName = url;
+                    } else {
+                        log.warn(log._("server.install.install-failed-url",{name:module,url:url}));
+                        e = new Error("Invalid url");
+                        e.code = "invalid_module_url";
+                        reject(e);
+                        return;
+                    }
                } else if (moduleRe.test(module)) {
                    // Simple module name - assume it can be npm installed
                    if (version) {
@@ -96,6 +105,12 @@ function installModule(module,version,url) {
                    // A path - check if there's a valid package.json
                    installName = module;
                    module = checkModulePath(module);
+                } else {
+                    log.warn(log._("server.install.install-failed-name",{name:module}));
+                    e = new Error("Invalid module name");
+                    e.code = "invalid_module_name";
+                    reject(e);
+                    return;
                }
                isUpgrade = checkExistingModule(module,version);
            } catch(err) {
--- a/packages/node_modules/@node-red/runtime/locales/en-US/runtime.json
+++ b/packages/node_modules/@node-red/runtime/locales/en-US/runtime.json
@@ -32,6 +32,8 @@
            "install-failed": "Install failed",
            "install-failed-long": "Installation of module __name__ failed:",
            "install-failed-not-found": "$t(server.install.install-failed-long) module not found",
+            "install-failed-name": "$t(server.install.install-failed-long) invalid module name: __name__",
+            "install-failed-url": "$t(server.install.install-failed-long) invalid url: __url__",
            "upgrading": "Upgrading module: __name__ to version: __version__",
            "upgraded": "Upgraded module: __name__. Restart Node-RED to use the new version",
            "upgrade-failed-not-found": "$t(server.install.install-failed-long) version not found",