(pluginName: string, allowScopedPackageNames = false)
| 10 | const unsafeShellPattern = /[|;&$`\\]/; |
| 11 | |
| 12 | export function validatePluginName(pluginName: string, allowScopedPackageNames = false): string | null { |
| 13 | const pluginNameWithoutPrefix = pluginName.replace(/^insomnia-plugin-/, ''); |
| 14 | |
| 15 | // Check the length of the plugin name |
| 16 | // Plugin name must be less than 214 characters |
| 17 | if (pluginNameWithoutPrefix.trim().length === 0 || pluginNameWithoutPrefix.length > 214) { |
| 18 | return 'Plugin name must not be empty or too long'; |
| 19 | } |
| 20 | |
| 21 | if (pluginNameWithoutPrefix.startsWith('@') && !allowScopedPackageNames) { |
| 22 | return 'Scoped packages are not permitted in this context. To install scoped packages, please use the Plugin Host instead.'; |
| 23 | } |
| 24 | |
| 25 | // Prevent path traversal |
| 26 | if (allowScopedPackageNames) { |
| 27 | // Allow scoped package names to contain slashes |
| 28 | if ( |
| 29 | (pluginNameWithoutPrefix.startsWith('@') && pluginNameWithoutPrefix.split('/').length > 2) || |
| 30 | pluginNameWithoutPrefix.includes('..') || |
| 31 | pluginNameWithoutPrefix.includes('\\') |
| 32 | ) { |
| 33 | return 'Plugin name must not contain path traversal characters'; |
| 34 | } |
| 35 | } else { |
| 36 | if ( |
| 37 | pluginNameWithoutPrefix.includes('..') || |
| 38 | pluginNameWithoutPrefix.includes('/') || |
| 39 | pluginNameWithoutPrefix.includes('\\') |
| 40 | ) { |
| 41 | return 'Plugin name must not contain path traversal characters'; |
| 42 | } |
| 43 | } |
| 44 | |
| 45 | if (unsafeShellPattern.test(pluginNameWithoutPrefix)) { |
| 46 | return 'Plugin name must not contain shell metacharacters'; |
| 47 | } |
| 48 | |
| 49 | if (pluginNameWithoutPrefix.trim() === '-') { |
| 50 | return 'Plugin name must not be a single dash'; |
| 51 | } |
| 52 | |
| 53 | if (pluginNameWithoutPrefix.startsWith('-')) { |
| 54 | return 'Plugin name must not start with a dash'; |
| 55 | } |
| 56 | |
| 57 | if (pluginNameWithoutPrefix.endsWith('-')) { |
| 58 | return 'Plugin name must not end with a dash'; |
| 59 | } |
| 60 | |
| 61 | if (pluginNameWithoutPrefix.match(/--/)) { |
| 62 | return 'Plugin name must not contain consecutive dashes'; |
| 63 | } |
| 64 | |
| 65 | if (pluginNameWithoutPrefix.match(/^\./)) { |
| 66 | return 'Plugin name cannot start with a period'; |
| 67 | } |
| 68 | |
| 69 | if (pluginNameWithoutPrefix.match(/^_/)) { |
no test coverage detected