fix(core): prevent running arbitrary code when attempting to detect p…

…lugin capabilities (#15676) (cherry picked from commit cd3d316)
nrwl · Mar 15, 2023 · c3d5041 · c3d5041
1 parent 17e4194
commit c3d5041
Showing 1 changed file with 15 additions and 6 deletions.
diff --git a/packages/nx/src/utils/plugins/plugin-capabilities.ts b/packages/nx/src/utils/plugins/plugin-capabilities.ts
@@ -6,7 +6,7 @@ import type { PluginCapabilities } from './models';
 import { hasElements } from './shared';
 import { readJsonFile } from '../fileutils';
 import { getPackageManagerCommand } from '../package-manager';
-import { loadNxPlugin, readPluginPackageJson } from '../nx-plugin';
+import { loadNxPlugin, NxPlugin, readPluginPackageJson } from '../nx-plugin';
 import { getNxRequirePaths } from '../installation-directory';
 
 function tryGetCollection<T extends object>(
@@ -35,11 +35,20 @@ export function getPluginCapabilities(
       pluginName,
       getNxRequirePaths(workspaceRoot)
     );
-    const pluginModule = loadNxPlugin(
-      pluginName,
-      getNxRequirePaths(workspaceRoot),
-      workspaceRoot
-    );
+    const pluginModule =
+      packageJson.generators ??
+      packageJson.executors ??
+      packageJson['nx-migrations'] ??
+      packageJson['schematics'] ??
+      packageJson['builders']
+        ? loadNxPlugin(
+            pluginName,
+            getNxRequirePaths(workspaceRoot),
+            workspaceRoot
+          )
+        : ({
+            name: pluginName,
+          } as NxPlugin);
     return {
       name: pluginName,
       generators: