New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix: Prevent GrowiPlugin from being downloaded outside the plugin directory #9712

Merged

yuki-takei merged 9 commits into master from fix/161421-prevent-installation-outside-the-plugin-directory

Mar 11, 2025

Contributor

NaokiHigashi28 commented Mar 5, 2025 •

edited

Loading

Task

#161423プラグインのinstalledPathにおけるパストラバーサル/コード実行についての問題を解決する
- #161554 修正

yuki-takei and others added 4 commits

February 27, 2025 09:44


          add try-catch

467de86


          add joinAndValidatePath method

f811370


          add error handling to downloadNotExistPluginRepositories function

09add87


          add errorhandling to deletePlugin function

71bef31

changeset-bot bot commented Mar 5, 2025 •

edited

Loading

⚠️ No Changeset found

Latest commit: e885dce

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

github-actions bot added the type/bug label

NaokiHigashi28 changed the title ~~Fix: Prevent GrowiPlugin from being downloaded outside the plugin directory~~ fix: Prevent GrowiPlugin from being downloaded outside the plugin directory

NaokiHigashi28 requested a review from yuki-takei

March 5, 2025 07:06

yuki-takei requested changes

View reviewed changes

apps/app/src/features/growi-plugin/server/services/growi-plugin/growi-plugin.ts Outdated

+                        catch (deleteErr) {
+                          logger.error(deleteErr);
+                          throw new Error(`Failed to delete plugin from GrowiPlugin documents. Original error: ${deleteErr.message}`);
+                        }

Member

yuki-takei Mar 5, 2025

ここでは GrowiPlugin のデータは消さなくてもいいかなあ
logger.error に出力して、あとは飲み込めばいいと思う

Contributor Author

NaokiHigashi28 Mar 6, 2025

対応しました。

apps/app/src/features/growi-plugin/server/services/growi-plugin/growi-plugin.ts

+                  catch (err) {
+                    logger.error(err);
+                    throw new Error('Failed to constract plugin path');
+                  }

Member

yuki-takei Mar 5, 2025

回避したいのは deleteFolder

growiPluginsPath が不正なら、deleteFolder は実行せずその旨を logger.warn で出力。GrowiPlugin.deleteOne({ _id: pluginId }); は実行してほしい。

Member

yuki-takei Mar 6, 2025

これだと try-catch で catch に入らなかったら GrowiPlugin.deleteOne({ _id: pluginId }); が実行されないのでは？

Member

yuki-takei Mar 10, 2025

改めて条件整理

joinAndValidatePath が valid でも invalid でも、GrowiPlugin.deleteOne は実行する
GrowiPlugin.deleteOne が成功し、かつ (growiPluginsPath && fs.existsSync(growiPluginsPath)) なら、deleteFolder を実行する

NaokiHigashi28 added 4 commits

March 6, 2025 03:19


          do not delete while download

a07a089


          skip deletefolder when plugin path is invalid

30cac69


          make it possible to delete plugin before install

7237dac


          improve error message

062998e

NaokiHigashi28 commented

View reviewed changes

apps/app/src/features/growi-plugin/server/services/growi-plugin/growi-plugin.ts

+                    }
+                  }
+                  else {
+                    logger.warn(`Plugin path does not exist : ${growiPluginsPath}`);
                   }

Contributor Author

NaokiHigashi28 Mar 6, 2025 •

edited

Loading

import された plugin は、サーバーの起動時にインストールされるため。import してから、サーバー再起動の間にも、plugin を削除できるようにした。

yuki-takei requested changes

View reviewed changes

apps/app/src/features/growi-plugin/server/services/growi-plugin/growi-plugin.ts

+                  catch (err) {
+                    logger.error(err);
+                    throw new Error('Failed to constract plugin path');
+                  }

Member

yuki-takei Mar 6, 2025

これだと try-catch で catch に入らなかったら GrowiPlugin.deleteOne({ _id: pluginId }); が実行されないのでは？

yuki-takei requested changes

View reviewed changes

apps/app/src/features/growi-plugin/server/services/growi-plugin/growi-plugin.ts

+                  catch (err) {
+                    logger.error(err);
+                    throw new Error('Failed to constract plugin path');
+                  }

Member

yuki-takei Mar 10, 2025

改めて条件整理

joinAndValidatePath が valid でも invalid でも、GrowiPlugin.deleteOne は実行する
GrowiPlugin.deleteOne が成功し、かつ (growiPluginsPath && fs.existsSync(growiPluginsPath)) なら、deleteFolder を実行する


          simplize error handling

e885dce

yuki-takei merged commit 0edd954 into master

20 checks passed

yuki-takei deleted the fix/161421-prevent-installation-outside-the-plugin-directory branch

March 11, 2025 11:04

github-actions bot mentioned this pull request

Release v7.2.1 #9736

Open

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels