Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Use server repository instead of package defined #1119

Merged
merged 1 commit into from Mar 8, 2019

Conversation

Projects
None yet
2 participants
@Arcanemagus
Copy link
Contributor

Arcanemagus commented Feb 27, 2019

Requirements

  • Filling out the template is required. Any pull request that does not include enough information to be reviewed in a timely manner may be closed at the maintainers' discretion.
  • All new code requires tests to ensure against regressions

Description of the Change

Use the repository URL returned from the atom.io server query as the URL of the repository, instead of the one defined by the package itself in its own metadata to prevent potential for impersonation of other authors.

Before:
image

After:
image

Alternate Designs

Potential enhancements to this include making the atom.io server reject package versions where the metadata in the package doesn't agree with the repository the version is coming from. Since this hasn't been in place from the start though we need to either purge all packages from atom.io that don't match or implement something within Atom to hide this.

Benefits

It should now be impossible to impersonate other authors within Atom's search results when submitting a package.

Possible Drawbacks

The repository defined in the package's metadata from package.json is now entirely ignored in query results. I'm not sure what potential downsides there are to this. It may pose an additional barrier to migrating a package to an another user.

The entire search method is currently untested, so this change may have side-effects that are unaccounted for.

Applicable Issues

Fixes #1118.

🐛 Use server repository instead of package defined
Use the repository URL returned from the atom.io server as the URL of 
the repository, instead of the one defined by the package itself in its 
own metadata to prevent potential for impersonation of other authors.

Fixes #1118.
@Arcanemagus

This comment has been minimized.

Copy link
Contributor Author

Arcanemagus commented Feb 27, 2019

Hmmm, this fixes it in the search results, however the package still displays the wrong information if it is installed. Since the server side information is no longer available I don't think there is anything that can be done about that though.

@asheren asheren referenced this pull request Mar 8, 2019

Closed

Iteration Plan: March 4 - March 15, 2019 #18955

1 of 7 tasks complete

@jasonrudolph jasonrudolph merged commit 5250896 into master Mar 8, 2019

2 checks passed

continuous-integration/appveyor/pr AppVeyor build succeeded
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

@jasonrudolph jasonrudolph deleted the la-server-repo branch Mar 8, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.