mirror of
https://github.com/verdaccio/verdaccio.git
synced 2024-12-16 21:56:25 -05:00
fix: code scan issues (#4888)
This commit is contained in:
parent
9a057d1b62
commit
5731e88a99
4 changed files with 28 additions and 7 deletions
6
.changeset/gentle-stingrays-repeat.md
Normal file
6
.changeset/gentle-stingrays-repeat.md
Normal file
|
@ -0,0 +1,6 @@
|
|||
---
|
||||
'@verdaccio/local-storage': patch
|
||||
'@verdaccio/store': patch
|
||||
---
|
||||
|
||||
fix: code scan issues
|
20
.github/workflows/codeql-analysis.yml
vendored
20
.github/workflows/codeql-analysis.yml
vendored
|
@ -1,10 +1,20 @@
|
|||
name: 'Code scanning - action'
|
||||
|
||||
on:
|
||||
push:
|
||||
paths:
|
||||
- .github/workflows/codeql-analysis.yml
|
||||
- 'packages/**'
|
||||
paths-ignore:
|
||||
- '**/*.md'
|
||||
- '**/*.txt'
|
||||
pull_request:
|
||||
paths:
|
||||
- .github/workflows/codeql-analysis.yml
|
||||
- 'packages/**'
|
||||
paths-ignore:
|
||||
- '**/*.md'
|
||||
- '**/*.txt'
|
||||
schedule:
|
||||
- cron: '0 2 * * 4'
|
||||
|
||||
|
@ -31,14 +41,14 @@ jobs:
|
|||
# a pull request then we can checkout the head.
|
||||
fetch-depth: 2
|
||||
|
||||
# If this run was triggered by a pull request event, then checkout
|
||||
# the head of the pull request instead of the merge commit.
|
||||
- run: git checkout HEAD^2
|
||||
if: ${{ github.event_name == 'pull_request' }}
|
||||
|
||||
# Initializes the CodeQL tools for scanning.
|
||||
- name: Initialize CodeQL
|
||||
uses: github/codeql-action/init@e2b3eafc8d227b0241d48be5f425d47c2d750a13 # v2
|
||||
with:
|
||||
config: |
|
||||
paths-ignore:
|
||||
- packages/config/test/partials/config/js/invalid.js
|
||||
- packages/middleware/test/static/js
|
||||
|
||||
# Override language selection by uncommenting this and choosing your languages
|
||||
# with:
|
||||
|
|
|
@ -118,7 +118,9 @@ class LocalDatabase extends pluginUtils.Plugin<{}> implements Storage {
|
|||
public async filterByQuery(results: searchUtils.SearchItemPkg[], query: searchUtils.SearchQuery) {
|
||||
// FUTURE: apply new filters, keyword, version, ...
|
||||
return results.filter((item: searchUtils.SearchItemPkg) => {
|
||||
return item?.name?.match(query.text) !== null;
|
||||
// Sanitize user input
|
||||
const safeText = _.escapeRegExp(query.text);
|
||||
return item?.name?.match(safeText) !== null;
|
||||
}) as searchUtils.SearchItemPkg[];
|
||||
}
|
||||
|
||||
|
|
|
@ -1405,6 +1405,9 @@ class Storage {
|
|||
throw errorUtils.getBadRequest(errorMessage);
|
||||
}
|
||||
}
|
||||
if (tarball === '__proto__' || tarball === 'constructor' || tarball === 'prototype') {
|
||||
throw errorUtils.getBadRequest('tarball name is not allowed');
|
||||
}
|
||||
data._attachments[tarball].version = version;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue