diff --git a/public/language/en-GB/error.json b/public/language/en-GB/error.json index 75a8328aa1..7f2511747b 100644 --- a/public/language/en-GB/error.json +++ b/public/language/en-GB/error.json @@ -255,6 +255,7 @@ "no-connection": "There seems to be a problem with your internet connection", "socket-reconnect-failed": "Unable to reach the server at this time. Click here to try again, or try again later", + "invalid-plugin-id": "Invalid plugin ID", "plugin-not-whitelisted": "Unable to install plugin – only plugins whitelisted by the NodeBB Package Manager can be installed via the ACP", "plugins-set-in-configuration": "You are not allowed to change plugin state as they are defined at runtime (config.json, environmental variables or terminal arguments), please modify the configuration instead.", "theme-not-set-in-configuration": "When defining active plugins in configuration, changing themes requires adding the new theme to the list of active plugins before updating it in the ACP", diff --git a/src/plugins/install.js b/src/plugins/install.js index 91a39da76e..21d993226d 100644 --- a/src/plugins/install.js +++ b/src/plugins/install.js @@ -12,7 +12,7 @@ const request = require('../request'); const db = require('../database'); const meta = require('../meta'); const pubsub = require('../pubsub'); -const { paths } = require('../constants'); +const { paths, pluginNamePattern } = require('../constants'); const pkgInstall = require('../cli/package-install'); const packageManager = pkgInstall.getPackageManager(); @@ -60,6 +60,9 @@ module.exports = function (Plugins) { winston.error('Cannot activate plugins while plugin state is set in the configuration (config.json, environmental variables or terminal arguments), please modify the configuration instead'); throw new Error('[[error:plugins-set-in-configuration]]'); } + if (!pluginNamePattern.test(id)) { + throw new Error('[[error:invalid-plugin-id]]'); + } const isActive = await Plugins.isActive(id); if (isActive) { await db.sortedSetRemove('plugins:active', id);