0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2024-12-16 21:56:25 -05:00

fix: code scan issues (#4888)

This commit is contained in:
Marc Bernard 2024-10-06 03:02:47 -04:00 committed by GitHub
parent 9a057d1b62
commit 5731e88a99
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
4 changed files with 28 additions and 7 deletions

View file

@ -0,0 +1,6 @@
---
'@verdaccio/local-storage': patch
'@verdaccio/store': patch
---
fix: code scan issues

View file

@ -1,10 +1,20 @@
name: 'Code scanning - action'
on:
push:
paths:
- .github/workflows/codeql-analysis.yml
- 'packages/**'
paths-ignore:
- '**/*.md'
- '**/*.txt'
pull_request:
paths:
- .github/workflows/codeql-analysis.yml
- 'packages/**'
paths-ignore:
- '**/*.md'
- '**/*.txt'
schedule:
- cron: '0 2 * * 4'
@ -31,14 +41,14 @@ jobs:
# a pull request then we can checkout the head.
fetch-depth: 2
# If this run was triggered by a pull request event, then checkout
# the head of the pull request instead of the merge commit.
- run: git checkout HEAD^2
if: ${{ github.event_name == 'pull_request' }}
# Initializes the CodeQL tools for scanning.
- name: Initialize CodeQL
uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v2
with:
config: |
paths-ignore:
- packages/config/test/partials/config/js/invalid.js
- packages/middleware/test/static/js
# Override language selection by uncommenting this and choosing your languages
# with:

View file

@ -118,7 +118,9 @@ class LocalDatabase extends pluginUtils.Plugin<{}> implements Storage {
public async filterByQuery(results: searchUtils.SearchItemPkg[], query: searchUtils.SearchQuery) {
// FUTURE: apply new filters, keyword, version, ...
return results.filter((item: searchUtils.SearchItemPkg) => {
return item?.name?.match(query.text) !== null;
// Sanitize user input
const safeText = _.escapeRegExp(query.text);
return item?.name?.match(safeText) !== null;
}) as searchUtils.SearchItemPkg[];
}

View file

@ -1405,6 +1405,9 @@ class Storage {
throw errorUtils.getBadRequest(errorMessage);
}
}
if (tarball === '__proto__' || tarball === 'constructor' || tarball === 'prototype') {
throw errorUtils.getBadRequest('tarball name is not allowed');
}
data._attachments[tarball].version = version;
}