Merge pull request '代码漏洞修复' (#1) from p24307168/kylin-code:master into master

This commit is contained in:
p40859176 2023-11-30 17:19:31 +08:00
commit 8a781aa116
4 changed files with 45 additions and 37 deletions

View File

@ -254,10 +254,11 @@ export class PackageJSONContribution implements IJSONContribution {
private isValidNPMName(name: string): boolean {
// following rules from https://github.com/npm/validate-npm-package-name
if (!name || name.length > 214 || name.match(/^[_.]/)) {
// leading slash added as additional security measure
if (!name || name.length > 214 || name.match(/^[-_.\s]/)) {
return false;
}
const match = name.match(/^(?:@([^/]+?)[/])?([^/]+?)$/);
const match = name.match(/^(?:@([^/~\s)('!*]+?)[/])?([^/~)('!*\s]+?)$/);
if (match) {
const scope = match[1];
if (scope && encodeURIComponent(scope) !== scope) {
@ -285,7 +286,7 @@ export class PackageJSONContribution implements IJSONContribution {
private npmView(npmCommandPath: string, pack: string, resource: Uri | undefined): Promise<ViewPackageInfo | undefined> {
return new Promise((resolve, _reject) => {
const args = ['view', '--json', pack, 'description', 'dist-tags.latest', 'homepage', 'version'];
const args = ['view', '--json', '--', pack, 'description', 'dist-tags.latest', 'homepage', 'version', 'time'];
let cwd = resource && resource.scheme === 'file' ? dirname(resource.fsPath) : undefined;
cp.execFile(npmCommandPath, args, { cwd }, (error, stdout) => {
if (!error) {

View File

@ -73,7 +73,7 @@ export async function activate(context: vscode.ExtensionContext): Promise<void>
}
async function getNPMCommandPath(): Promise<string | undefined> {
if (canRunNpmInCurrentWorkspace()) {
if (vscode.workspace.isTrusted && canRunNpmInCurrentWorkspace()) {
try {
return await which(process.platform === 'win32' ? 'npm.cmd' : 'npm');
} catch (e) {

View File

@ -542,24 +542,8 @@ var requirejs = (function() {
return;
}
if (matchesScheme(link, Schemas.command)) {
const ret = /command\:workbench\.action\.openLargeOutput\?(.*)/.exec(link);
if (ret && ret.length === 2) {
const outputId = ret[1];
this.openerService.open(CellUri.generateCellOutputUri(this.documentUri, outputId));
return;
}
console.warn('Command links are deprecated and will be removed, use message passing instead: https://github.com/microsoft/vscode/issues/123601');
}
if (matchesScheme(link, Schemas.command)) {
if (this.workspaceTrustManagementService.isWorkspaceTrusted()) {
this.openerService.open(link, { fromUserGesture: true, allowContributedOpeners: true, allowCommands: true });
} else {
console.warn('Command links are disabled in untrusted workspaces');
}
} else if (matchesSomeScheme(link, Schemas.vscodeNotebookCell, Schemas.http, Schemas.https, Schemas.mailto)) {
this.openerService.open(link, { fromUserGesture: true, allowContributedOpeners: true, allowCommands: true });
if (matchesSomeScheme(link, Schemas.vscodeNotebookCell, Schemas.http, Schemas.https, Schemas.mailto)) {
this.openerService.open(link, { fromUserGesture: true, allowContributedOpeners: true, allowCommands: false });
}
}));
@ -670,12 +654,14 @@ var requirejs = (function() {
}
case 'clicked-link': {
let linkToOpen: URI | string | undefined;
if (matchesScheme(data.href, Schemas.command)) {
const ret = /command\:workbench\.action\.openLargeOutput\?(.*)/.exec(data.href);
if (ret && ret.length === 2) {
const outputId = ret[1];
const group = this.editorGroupService.activeGroup;
if (matchesScheme(data.href, Schemas.command)) {
// We allow a very limited set of commands
const uri = URI.parse(data.href);
switch (uri.path) {
case 'workbench.action.openLargeOutput': {
const outputId = uri.query;
const group = this.editorGroupService.activeGroup;
if (group) {
if (group.activeEditor) {
group.pinEditor(group.activeEditor);
@ -685,8 +671,18 @@ var requirejs = (function() {
this.openerService.open(CellUri.generateCellOutputUri(this.documentUri, outputId));
return;
}
case 'github-issues.authNow':
case 'workbench.extensions.search':
case 'workbench.action.openSettings': {
this.openerService.open(data.href, { fromUserGesture: true, allowCommands: true, fromWorkspace: true });
return;
}
if (matchesSomeScheme(data.href, Schemas.http, Schemas.https, Schemas.mailto, Schemas.command, Schemas.vscodeNotebookCell, Schemas.vscodeNotebook)) {
}
return;
}
if (matchesSomeScheme(data.href, Schemas.http, Schemas.https, Schemas.mailto, Schemas.vscodeNotebookCell, Schemas.vscodeNotebook)) {
linkToOpen = data.href;
} else if (!/^[\w\-]+:/.test(data.href)) {
const fragmentStartIndex = data.href.lastIndexOf('#');
@ -717,7 +713,7 @@ var requirejs = (function() {
}
if (linkToOpen) {
this.openerService.open(linkToOpen, { fromUserGesture: true, allowCommands: true });
this.openerService.open(linkToOpen, { fromUserGesture: true, allowCommands: false });
}
break;
}

View File

@ -24,6 +24,8 @@ import { TerminalSettingId } from 'vs/platform/terminal/common/terminal';
import { TERMINAL_COMMAND_DECORATION_DEFAULT_BACKGROUND_COLOR, TERMINAL_COMMAND_DECORATION_ERROR_BACKGROUND_COLOR, TERMINAL_COMMAND_DECORATION_SUCCESS_BACKGROUND_COLOR } from 'vs/workbench/contrib/terminal/common/terminalColorRegistry';
import { Color } from 'vs/base/common/color';
import { IOpenerService } from 'vs/platform/opener/common/opener';
import { INotificationService, Severity } from 'vs/platform/notification/common/notification';
const enum DecorationSelector {
CommandDecoration = 'terminal-command-decoration',
@ -59,7 +61,8 @@ export class DecorationAddon extends Disposable implements ITerminalAddon {
@IHoverService private readonly _hoverService: IHoverService,
@IConfigurationService private readonly _configurationService: IConfigurationService,
@IThemeService private readonly _themeService: IThemeService,
@IOpenerService private readonly _openerService: IOpenerService
@IOpenerService private readonly _openerService: IOpenerService,
@INotificationService private readonly _notificationService: INotificationService
) {
super();
this._register(toDisposable(() => this._dispose()));
@ -330,7 +333,15 @@ export class DecorationAddon extends Disposable implements ITerminalAddon {
}
actions.push({
class: 'rerun-command', tooltip: 'Rerun Command', dispose: () => { }, id: 'terminal.rerunCommand', label: localize("terminal.rerunCommand", 'Rerun Command'), enabled: true,
run: async () => {
this._notificationService.prompt(Severity.Info, localize('rerun', 'Do you want to run the command: {0}', command.command), [{
label: localize('yes', 'Yes'),
run: () => this._onDidRequestRunCommand.fire({ command })
}, {
label: localize('no', 'No'),
run: () => { }
}]);
}
});
actions.push({
class: 'how-does-this-work', tooltip: 'How does this work?', dispose: () => { }, id: 'terminal.howDoesThisWork', label: localize("terminal.howDoesThisWork", 'How does this work?'), enabled: true,