Allow to install packed extensions from URL or local file #1456
Conversation
Signed-off-by: Roman <[email protected]>
… in add-cluster-page) Signed-off-by: Roman <[email protected]>
Signed-off-by: Roman <[email protected]>
Signed-off-by: Roman <[email protected]>
Signed-off-by: Roman <[email protected]>
Signed-off-by: Roman <[email protected]>
ixrock
added
enhancement
ixrock
changed the title
…ard` Signed-off-by: Roman <[email protected]>
Signed-off-by: Roman <[email protected]>
ixrock
changed the title
ixrock
changed the title
Signed-off-by: Roman <[email protected]>
Signed-off-by: Roman <[email protected]>
Signed-off-by: Roman <[email protected]>
# Conflicts: # src/common/utils/index.ts
Signed-off-by: Roman <[email protected]>
|
@jakolehm PTAL / test |
Signed-off-by: Roman <[email protected]>
ixrock
changed the title
ixrock
changed the title
Signed-off-by: Roman <[email protected]>
# Conflicts: # src/renderer/components/+extensions/extensions.tsx # src/renderer/utils/downloadFile.ts
Signed-off-by: Roman <[email protected]>
Signed-off-by: Roman <[email protected]>
Signed-off-by: Roman <[email protected]>
| } | ||
|
|
||
| getExtensionDestFolder(name: string) { | ||
| return path.join(this.extensionsPath, sanitizeExtensionName(name)); |
There was a problem hiding this comment.
This sanitation is not as complete as you think. So far I don't think we put any requirements on extension names and (at least on Windows) we do not sanitize out \ or even .s.
Plus I don't see why @ cannot be part of the dest folder path.
There was a problem hiding this comment.
Anyway we have to sanitize it since name might contain / and currently loading extensions supported only from single level from ~./k8slens/extensions/<folder>
There was a problem hiding this comment.
True, but I am thinking more about security. If someone crafted the name to be @foo\..\..\/blarr on windows, this would be "sanitized" to foo\..\..\-blarr and if we were ever to say "overWrite: true" (which I think I saw in this PR somewhere) then we would be writing to some unknown place.
There was a problem hiding this comment.
It's not valid name for NPM-package (@foo\..\..\/blarr) so no need to worry about it.
@jakolehm your word?
There was a problem hiding this comment.
@Nokel81 has a point here.. I think it's possible for an attacker to handcraft a package with invalid name. Of course if user installs a malicious package then it can do even worse things via runtime ... so maybe not super critical to fix here.
Let's create a separate issue about this.
| theme="round-black" | ||
| iconLeft="link" | ||
| placeholder={`URL to packed extension (${this.supportedFormats.join(", ")})`} | ||
| validators={InputValidators.isUrl} |
There was a problem hiding this comment.
This validator is wrong, the string "123.com" is reported as invalid. Also it seems that even if the validator returns an error we can still click the "Add extensions" button
There was a problem hiding this comment.
Dunno, this is out of scope of this PR. This validator also matching to empty string which is also invalid.
There was a problem hiding this comment.
The validator being wrong is yes, but not being able to click "add extensions" if it returns an error
There was a problem hiding this comment.
So yeah, 123.com is invalid URL, try new URL("123.com") :D
Just prepend with http(s) and all good, lol.
There was a problem hiding this comment.
BTW you might want to fix this meanwhile in separated PR! :)
|
Also, I tested this with However, if I download that package and unpack it. I get the following folder structure: I think that this PR should handle correctly how npm bundles its code into tarballs. |
Signed-off-by: Roman <[email protected]>
Yes it should and I expected it to work, so you just found one more 🐞 Congrats! 🎉 (FIXED) |
Signed-off-by: Roman <[email protected]>
Signed-off-by: Roman <[email protected]>
Done:
Clipboardfor copying html-element full text-content or partial into clipboardDropFileInputto handle drag-n-dropped files from external app, e.g. Finder / other file explorer (logic adopted originally fromadd-cluster-page)Todo:
~/.k8slens/extensionsrequires #1461 #1482 (otherwise just restart the app after installation)
close #1227
Screenshots: