diff --git a/.changeset/gentle-stingrays-repeat.md b/.changeset/gentle-stingrays-repeat.md new file mode 100644 index 000000000..5de2314a3 --- /dev/null +++ b/.changeset/gentle-stingrays-repeat.md @@ -0,0 +1,6 @@ +--- +'@verdaccio/local-storage': patch +'@verdaccio/store': patch +--- + +fix: code scan issues diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml index 3ce590402..eab191b26 100644 --- a/.github/workflows/codeql-analysis.yml +++ b/.github/workflows/codeql-analysis.yml @@ -1,10 +1,20 @@ name: 'Code scanning - action' on: + push: + paths: + - .github/workflows/codeql-analysis.yml + - 'packages/**' + paths-ignore: + - '**/*.md' + - '**/*.txt' pull_request: paths: - .github/workflows/codeql-analysis.yml - 'packages/**' + paths-ignore: + - '**/*.md' + - '**/*.txt' schedule: - cron: '0 2 * * 4' @@ -13,7 +23,7 @@ permissions: concurrency: group: code-${{ github.ref }} - cancel-in-progress: true + cancel-in-progress: true jobs: CodeQL-Build: @@ -31,14 +41,14 @@ jobs: # a pull request then we can checkout the head. fetch-depth: 2 - # If this run was triggered by a pull request event, then checkout - # the head of the pull request instead of the merge commit. - - run: git checkout HEAD^2 - if: ${{ github.event_name == 'pull_request' }} - # Initializes the CodeQL tools for scanning. - name: Initialize CodeQL uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v2 + with: + config: | + paths-ignore: + - packages/config/test/partials/config/js/invalid.js + - packages/middleware/test/static/js # Override language selection by uncommenting this and choosing your languages # with: diff --git a/packages/plugins/local-storage/src/local-database.ts b/packages/plugins/local-storage/src/local-database.ts index f2b20dadb..375ab0535 100644 --- a/packages/plugins/local-storage/src/local-database.ts +++ b/packages/plugins/local-storage/src/local-database.ts @@ -118,7 +118,9 @@ class LocalDatabase extends pluginUtils.Plugin<{}> implements Storage { public async filterByQuery(results: searchUtils.SearchItemPkg[], query: searchUtils.SearchQuery) { // FUTURE: apply new filters, keyword, version, ... return results.filter((item: searchUtils.SearchItemPkg) => { - return item?.name?.match(query.text) !== null; + // Sanitize user input + const safeText = _.escapeRegExp(query.text); + return item?.name?.match(safeText) !== null; }) as searchUtils.SearchItemPkg[]; } diff --git a/packages/store/src/storage.ts b/packages/store/src/storage.ts index 891fca2ee..14b4a710f 100644 --- a/packages/store/src/storage.ts +++ b/packages/store/src/storage.ts @@ -1405,6 +1405,9 @@ class Storage { throw errorUtils.getBadRequest(errorMessage); } } + if (tarball === '__proto__' || tarball === 'constructor' || tarball === 'prototype') { + throw errorUtils.getBadRequest('tarball name is not allowed'); + } data._attachments[tarball].version = version; }