From 76f3efff8f1edebb98ad57f625dc9c3b7058a07b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bar=C4=B1=C5=9F=20Soner=20U=C5=9Fakl=C4=B1?= Date: Tue, 16 Jan 2024 10:13:50 -0500 Subject: [PATCH] fix: validate plugin id in toggleActive --- public/language/en-GB/error.json | 1 + src/plugins/install.js | 5 ++++- 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/public/language/en-GB/error.json b/public/language/en-GB/error.json index 75a8328aa1..7f2511747b 100644 --- a/public/language/en-GB/error.json +++ b/public/language/en-GB/error.json @@ -255,6 +255,7 @@ "no-connection": "There seems to be a problem with your internet connection", "socket-reconnect-failed": "Unable to reach the server at this time. Click here to try again, or try again later", + "invalid-plugin-id": "Invalid plugin ID", "plugin-not-whitelisted": "Unable to install plugin – only plugins whitelisted by the NodeBB Package Manager can be installed via the ACP", "plugins-set-in-configuration": "You are not allowed to change plugin state as they are defined at runtime (config.json, environmental variables or terminal arguments), please modify the configuration instead.", "theme-not-set-in-configuration": "When defining active plugins in configuration, changing themes requires adding the new theme to the list of active plugins before updating it in the ACP", diff --git a/src/plugins/install.js b/src/plugins/install.js index 91a39da76e..21d993226d 100644 --- a/src/plugins/install.js +++ b/src/plugins/install.js @@ -12,7 +12,7 @@ const request = require('../request'); const db = require('../database'); const meta = require('../meta'); const pubsub = require('../pubsub'); -const { paths } = require('../constants'); +const { paths, pluginNamePattern } = require('../constants'); const pkgInstall = require('../cli/package-install'); const packageManager = pkgInstall.getPackageManager(); @@ -60,6 +60,9 @@ module.exports = function (Plugins) { winston.error('Cannot activate plugins while plugin state is set in the configuration (config.json, environmental variables or terminal arguments), please modify the configuration instead'); throw new Error('[[error:plugins-set-in-configuration]]'); } + if (!pluginNamePattern.test(id)) { + throw new Error('[[error:invalid-plugin-id]]'); + } const isActive = await Plugins.isActive(id); if (isActive) { await db.sortedSetRemove('plugins:active', id);