Skip to content

Commit 69cd612

Browse files
fix: sanitize built-in plugin name prompt (Related to CVE-14) (#6626)
* fix: sanitize built-in plugin name prompt (Related to CVE-14) * style: format js/activity.js with prettier * fix: allow underscores in plugin name validation
1 parent 423d6fe commit 69cd612

1 file changed

Lines changed: 16 additions & 4 deletions

File tree

js/activity.js

Lines changed: 16 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -6809,14 +6809,26 @@ class Activity {
68096809

68106810
this._doOpenPlugin = () => {
68116811
this.toolbar.closeAuxToolbar(showHideAuxMenu);
6812-
const name = prompt(
6812+
const rawName = prompt(
68136813
_("Enter the name of a built-in plugin, or leave blank to upload a plugin file:")
68146814
);
6815-
if (name === null) {
6815+
if (rawName === null) {
68166816
return; // User cancelled the operation
68176817
}
6818-
if (name.trim() !== "") {
6819-
this._loadBuiltInPlugin(name.trim().toLowerCase());
6818+
6819+
const name = rawName.trim().toLowerCase();
6820+
if (name !== "") {
6821+
// Validate: only allow safe characters (alphanumeric, hyphens, and underscores)
6822+
// This prevents path traversal attacks like "../../secrets"
6823+
if (!/^[a-z0-9\-_]+$/.test(name)) {
6824+
alert(
6825+
_(
6826+
"Invalid plugin name. Only alphanumeric characters, hyphens, and underscores are allowed."
6827+
)
6828+
);
6829+
return;
6830+
}
6831+
this._loadBuiltInPlugin(name);
68206832
} else {
68216833
this.pluginChooser.focus();
68226834
this.pluginChooser.click();

0 commit comments

Comments
 (0)