You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
This is to prevent possible attacks where a crafted filename could be used to execute malicious commands.
Currently launch-editor does not have a check like this. It's hard to exploit because there is an fs.existsSync check but for defense in depth it would be better to not let these kinds of filenames through
The only remaining problem is that this RegExp can't be parsed with our current ESLint setup.
I'll try to fix this issue when I have the time to move away from eslint-plugin-vue-libs and bump the ESLint major version in this repository.
The vue-inspector by @webfansplz contains code that prevents some filenames from being opened with a shell command
https://github.com/webfansplz/vite-plugin-vue-inspector/blob/main/src/launch-editor.ts#L336-L357
This is to prevent possible attacks where a crafted filename could be used to execute malicious commands.
Currently launch-editor does not have a check like this. It's hard to exploit because there is an
fs.existsSync
check but for defense in depth it would be better to not let these kinds of filenames throughThe regex here https://github.com/webfansplz/vite-plugin-vue-inspector/blob/main/src/launch-editor.ts#L108-L112 looks longish, maybe a smaller list of forbidden chars does the trick too
The text was updated successfully, but these errors were encountered: