fix: block unvetted plugin setup execution#7081
Conversation
|
✅ All Jest tests passed! This PR is ready to merge. Coverage: Statements: 44.92% | Branches: 36.46% | Functions: 49.99% | Lines: 45.35% |
|
@Sourav001254 add validation check its bug right so - [x] Bug Fix : issue number |
|
@walterbender @sum2it @omsuneri kindly review this PR |
|
This PR has merge conflicts with Please rebase your branch: # Add upstream remote (one-time setup)
git remote add upstream https://github.com/sugarlabs/musicblocks.git
# Fetch latest master and rebase
git fetch upstream
git rebase upstream/master
# Resolve any conflicts, then:
git push --force-with-lease origin YOUR_BRANCH
|
1 similar comment
|
This PR has merge conflicts with Please rebase your branch: # Add upstream remote (one-time setup)
git remote add upstream https://github.com/sugarlabs/musicblocks.git
# Fetch latest master and rebase
git fetch upstream
git rebase upstream/master
# Resolve any conflicts, then:
git push --force-with-lease origin YOUR_BRANCH
|
|
Heads up — I opened #NNNN which addresses the same gap on current master. Since this branch was cut before the |
This PR adds a focused security hardening step for plugin loading related to #7046.
Uploaded or otherwise unvetted plugins could still execute setup code through dynamically injected Blob scripts after a confirmation prompt. This change prevents unvetted plugin setup sections from being executed directly in the main application context.
Changes:-
isVettedPluginSource()helper for plugin source trust checks.BLOCKPLUGINS,GLOBALS, andONLOADsetup code from Blob script injection.