From f2d7070f86ecb65ddcd3e150f5b2af00d6133236 Mon Sep 17 00:00:00 2001 From: maliming Date: Sun, 5 Apr 2026 17:38:28 +0800 Subject: [PATCH 1/5] Add --ignore-scripts flag to npm/yarn commands in ABP CLI Fixes #25209 --- .../Abp/Cli/ProjectModification/NpmPackagesUpdater.cs | 4 ++-- .../Abp/Cli/ProjectModification/ProjectNpmPackageAdder.cs | 4 ++-- .../src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs | 8 ++++---- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs index 9f2cb4d2212..f759073927c 100644 --- a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs +++ b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs @@ -380,13 +380,13 @@ protected virtual async Task RunInstallLibsAsync(string fileDirectory) protected virtual void RunYarn(string fileDirectory) { Logger.LogInformation($"Running Yarn on {fileDirectory}"); - CmdHelper.RunCmd($"npx yarn", fileDirectory); + CmdHelper.RunCmd($"npx yarn --ignore-scripts", fileDirectory); } protected virtual void RunNpmInstall(string fileDirectory) { Logger.LogInformation($"Running npm install on {fileDirectory}"); - CmdHelper.RunCmd($"npm install", fileDirectory); + CmdHelper.RunCmd($"npm install --ignore-scripts", fileDirectory); } protected virtual List GetPackageVersionList(JProperty package, string workingDirectory = null) diff --git a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/ProjectNpmPackageAdder.cs b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/ProjectNpmPackageAdder.cs index 9b7b17d57e2..6de4f22f627 100644 --- a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/ProjectNpmPackageAdder.cs +++ b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/ProjectNpmPackageAdder.cs @@ -81,7 +81,7 @@ public async Task AddNpmPackageAsync(string directory, NpmPackageInfo npmPackage using (DirectoryHelper.ChangeCurrentDirectory(directory)) { Logger.LogInformation("yarn add " + npmPackage.Name + versionPostfix); - CmdHelper.RunCmd("npx yarn add " + npmPackage.Name + versionPostfix); + CmdHelper.RunCmd("npx yarn add " + npmPackage.Name + versionPostfix + " --ignore-scripts"); } } else @@ -149,7 +149,7 @@ public async Task AddMvcPackageAsync(string directory, NpmPackageInfo npmPackage using (DirectoryHelper.ChangeCurrentDirectory(directory)) { Logger.LogInformation("yarn add " + npmPackage.Name + versionPostfix); - CmdHelper.RunCmd("npx yarn add " + npmPackage.Name + versionPostfix); + CmdHelper.RunCmd("npx yarn add " + npmPackage.Name + versionPostfix + " --ignore-scripts"); if (skipInstallingLibs) { diff --git a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs index d3dd24c53e6..9b7ce21dc10 100644 --- a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs +++ b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs @@ -53,26 +53,26 @@ public bool IsYarnAvailable() public void RunNpmInstall(string directory, params string[] args) { Logger.LogInformation($"Running npm install on {directory}"); - CmdHelper.RunCmd($"npm install {args.JoinAsString(" ")}", directory); + CmdHelper.RunCmd($"npm install --ignore-scripts {args.JoinAsString(" ")}", directory); } public void RunYarn(string directory) { Logger.LogInformation($"Running Yarn on {directory}"); - CmdHelper.RunCmd($"npx yarn", directory); + CmdHelper.RunCmd($"npx yarn --ignore-scripts", directory); } [Obsolete("This method is deprecated. Use 'YarnAddPackage' instead (it uses 'npx', so there is no need for 'yarn' to be globally installed.")] public void NpmInstallPackage(string package, string version, string directory) { var packageVersion = !string.IsNullOrWhiteSpace(version) ? $"@{version}" : string.Empty; - CmdHelper.RunCmd("npm install " + package + packageVersion, workingDirectory: directory); + CmdHelper.RunCmd("npm install --ignore-scripts " + package + packageVersion, workingDirectory: directory); } public void YarnAddPackage(string package, string version, string directory) { var packageVersion = !string.IsNullOrWhiteSpace(version) ? $"@{version}" : string.Empty; - CmdHelper.RunCmd("npx yarn add " + package + packageVersion, workingDirectory: directory); + CmdHelper.RunCmd("npx yarn add " + package + packageVersion + " --ignore-scripts", workingDirectory: directory); } public string GetInstalledNpmPackages() From 3ad44cb5a8865a4c3e1ffc980ade3d938325bc54 Mon Sep 17 00:00:00 2001 From: maliming Date: Sun, 5 Apr 2026 17:47:34 +0800 Subject: [PATCH 2/5] Implement npm package name validation and add tests for it --- .../ProjectModification/NpmPackagesUpdater.cs | 31 ++++++++++++++----- .../ProjectNpmPackageAdder.cs | 4 +++ .../Volo/Abp/Cli/Utils/NpmHelper.cs | 15 +++++++++ .../NpmPackagesUpdater_Tests.cs | 29 +++++++++++++++++ 4 files changed, 72 insertions(+), 7 deletions(-) create mode 100644 framework/test/Volo.Abp.Cli.Core.Tests/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater_Tests.cs diff --git a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs index f759073927c..4b3484936f1 100644 --- a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs +++ b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs @@ -3,6 +3,7 @@ using System.Collections.Generic; using System.IO; using System.Linq; +using System.Text.RegularExpressions; using System.Threading.Tasks; using Microsoft.Extensions.Logging; using Microsoft.Extensions.Logging.Abstractions; @@ -359,18 +360,34 @@ protected virtual List GetAbpPackagesFromPackageJson(JObject fileObje var properties = dependencies.Properties().ToList(); - abpPackages - .AddRange( - properties.Where( - p => p.Name.StartsWith("@abp/") - || p.Name.StartsWith("@volo/") - || p.Name.StartsWith("@volosoft/")).ToList() - ); + foreach (var p in properties.Where( + p => p.Name.StartsWith("@abp/") + || p.Name.StartsWith("@volo/") + || p.Name.StartsWith("@volosoft/"))) + { + if (IsValidNpmPackageName(p.Name)) + { + abpPackages.Add(p); + } + else + { + Logger.LogWarning($"Skipping invalid npm package name: {p.Name}"); + } + } } return abpPackages; } + private static readonly Regex ValidNpmPackageNameRegex = new( + @"^@[a-zA-Z0-9][a-zA-Z0-9._-]*/[a-zA-Z0-9][a-zA-Z0-9._-]*$", + RegexOptions.Compiled); + + public static bool IsValidNpmPackageName(string packageName) + { + return ValidNpmPackageNameRegex.IsMatch(packageName); + } + protected virtual async Task RunInstallLibsAsync(string fileDirectory) { Logger.LogInformation("Installing client-side packages..."); diff --git a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/ProjectNpmPackageAdder.cs b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/ProjectNpmPackageAdder.cs index 6de4f22f627..aa611221280 100644 --- a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/ProjectNpmPackageAdder.cs +++ b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/ProjectNpmPackageAdder.cs @@ -72,6 +72,8 @@ public async Task AddNpmPackageAsync(string directory, NpmPackageInfo npmPackage return; } + NpmHelper.EnsureSafePackageName(npmPackage.Name); + Logger.LogInformation($"Installing '{npmPackage.Name}' package to the project '{packageJsonFilePath}'..."); if (!File.ReadAllText(packageJsonFilePath).Contains($"\"{npmPackage.Name}\"")) @@ -130,6 +132,8 @@ await SourceCodeDownloadService.DownloadNpmPackageAsync( public async Task AddMvcPackageAsync(string directory, NpmPackageInfo npmPackage, string version = null, bool skipInstallingLibs = false) { + NpmHelper.EnsureSafePackageName(npmPackage.Name); + var packageJsonFilePath = Path.Combine(directory, "package.json"); if (!File.Exists(packageJsonFilePath) || File.ReadAllText(packageJsonFilePath).Contains($"\"{npmPackage.Name}\"")) diff --git a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs index 9b7ce21dc10..8684360f4d1 100644 --- a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs +++ b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs @@ -1,6 +1,7 @@ using System; using System.Collections.Generic; using System.Linq; +using System.Text.RegularExpressions; using Microsoft.Extensions.Logging; using Microsoft.Extensions.Logging.Abstractions; using NuGet.Versioning; @@ -65,16 +66,30 @@ public void RunYarn(string directory) [Obsolete("This method is deprecated. Use 'YarnAddPackage' instead (it uses 'npx', so there is no need for 'yarn' to be globally installed.")] public void NpmInstallPackage(string package, string version, string directory) { + EnsureSafePackageName(package); var packageVersion = !string.IsNullOrWhiteSpace(version) ? $"@{version}" : string.Empty; CmdHelper.RunCmd("npm install --ignore-scripts " + package + packageVersion, workingDirectory: directory); } public void YarnAddPackage(string package, string version, string directory) { + EnsureSafePackageName(package); var packageVersion = !string.IsNullOrWhiteSpace(version) ? $"@{version}" : string.Empty; CmdHelper.RunCmd("npx yarn add " + package + packageVersion + " --ignore-scripts", workingDirectory: directory); } + private static readonly Regex SafePackageNameRegex = new( + @"^(@[a-zA-Z0-9][a-zA-Z0-9._-]*/)?[a-zA-Z0-9][a-zA-Z0-9._-]*$", + RegexOptions.Compiled); + + public static void EnsureSafePackageName(string packageName) + { + if (!SafePackageNameRegex.IsMatch(packageName)) + { + throw new InvalidOperationException($"Invalid npm package name detected: {packageName}"); + } + } + public string GetInstalledNpmPackages() { Logger.LogInformation("Checking installed npm global packages..."); diff --git a/framework/test/Volo.Abp.Cli.Core.Tests/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater_Tests.cs b/framework/test/Volo.Abp.Cli.Core.Tests/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater_Tests.cs new file mode 100644 index 00000000000..8b37fe36f16 --- /dev/null +++ b/framework/test/Volo.Abp.Cli.Core.Tests/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater_Tests.cs @@ -0,0 +1,29 @@ +using Shouldly; +using Volo.Abp.Cli.ProjectModification; +using Xunit; + +namespace Volo.Abp.Cli; + +public class NpmPackagesUpdater_Tests +{ + [Theory] + [InlineData("@abp/ng.core", true)] + [InlineData("@abp/ng.theme.shared", true)] + [InlineData("@abp/ng.components", true)] + [InlineData("@volo/abp.ng.lepton-x.core", true)] + [InlineData("@volo/abp.commercial.ng.ui", true)] + [InlineData("@volosoft/abp.ng.theme.lepton", true)] + [InlineData("@abp/core && calc.exe", false)] + [InlineData("@abp/core; rm -rf /", false)] + [InlineData("@abp/core | curl evil.com", false)] + [InlineData("@abp/core`whoami`", false)] + [InlineData("@abp/core$(id)", false)] + [InlineData("@abp/core\nnewline", false)] + [InlineData("@abp/ space", false)] + [InlineData("@abp/", false)] + [InlineData("@abp/ng core", false)] + public void IsValidNpmPackageName(string packageName, bool expected) + { + NpmPackagesUpdater.IsValidNpmPackageName(packageName).ShouldBe(expected); + } +} From 34cafde4441508ff77582fedc0eb38e0edbd4fc8 Mon Sep 17 00:00:00 2001 From: maliming Date: Sun, 5 Apr 2026 18:00:14 +0800 Subject: [PATCH 3/5] Add version validation, sanitize log output, and use CliUsageException --- .../ProjectModification/NpmPackagesUpdater.cs | 2 +- .../ProjectNpmPackageAdder.cs | 3 +++ .../Volo/Abp/Cli/Utils/NpmHelper.cs | 21 ++++++++++++++++++- 3 files changed, 24 insertions(+), 2 deletions(-) diff --git a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs index 4b3484936f1..18273053538 100644 --- a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs +++ b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs @@ -371,7 +371,7 @@ protected virtual List GetAbpPackagesFromPackageJson(JObject fileObje } else { - Logger.LogWarning($"Skipping invalid npm package name: {p.Name}"); + Logger.LogWarning($"Skipping invalid npm package name: {NpmHelper.SanitizeForLog(p.Name)}"); } } } diff --git a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/ProjectNpmPackageAdder.cs b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/ProjectNpmPackageAdder.cs index aa611221280..8e8d52f7be3 100644 --- a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/ProjectNpmPackageAdder.cs +++ b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/ProjectNpmPackageAdder.cs @@ -73,6 +73,7 @@ public async Task AddNpmPackageAsync(string directory, NpmPackageInfo npmPackage } NpmHelper.EnsureSafePackageName(npmPackage.Name); + NpmHelper.EnsureSafeVersion(version); Logger.LogInformation($"Installing '{npmPackage.Name}' package to the project '{packageJsonFilePath}'..."); @@ -148,6 +149,8 @@ public async Task AddMvcPackageAsync(string directory, NpmPackageInfo npmPackage version = DetectAbpVersionOrNull(Path.Combine(directory, "package.json")); } + NpmHelper.EnsureSafeVersion(version); + var versionPostfix = version != null ? $"@{version}" : string.Empty; using (DirectoryHelper.ChangeCurrentDirectory(directory)) diff --git a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs index 8684360f4d1..13069c6ae11 100644 --- a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs +++ b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs @@ -67,6 +67,7 @@ public void RunYarn(string directory) public void NpmInstallPackage(string package, string version, string directory) { EnsureSafePackageName(package); + EnsureSafeVersion(version); var packageVersion = !string.IsNullOrWhiteSpace(version) ? $"@{version}" : string.Empty; CmdHelper.RunCmd("npm install --ignore-scripts " + package + packageVersion, workingDirectory: directory); } @@ -74,6 +75,7 @@ public void NpmInstallPackage(string package, string version, string directory) public void YarnAddPackage(string package, string version, string directory) { EnsureSafePackageName(package); + EnsureSafeVersion(version); var packageVersion = !string.IsNullOrWhiteSpace(version) ? $"@{version}" : string.Empty; CmdHelper.RunCmd("npx yarn add " + package + packageVersion + " --ignore-scripts", workingDirectory: directory); } @@ -82,14 +84,31 @@ public void YarnAddPackage(string package, string version, string directory) @"^(@[a-zA-Z0-9][a-zA-Z0-9._-]*/)?[a-zA-Z0-9][a-zA-Z0-9._-]*$", RegexOptions.Compiled); + private static readonly Regex SafeVersionRegex = new( + @"^[a-zA-Z0-9._~^><=|\-+]+$", + RegexOptions.Compiled); + public static void EnsureSafePackageName(string packageName) { if (!SafePackageNameRegex.IsMatch(packageName)) { - throw new InvalidOperationException($"Invalid npm package name detected: {packageName}"); + throw new CliUsageException($"Invalid npm package name detected: {SanitizeForLog(packageName)}"); + } + } + + public static void EnsureSafeVersion(string version) + { + if (!string.IsNullOrWhiteSpace(version) && !SafeVersionRegex.IsMatch(version)) + { + throw new CliUsageException($"Invalid npm package version detected: {SanitizeForLog(version)}"); } } + public static string SanitizeForLog(string value) + { + return Regex.Replace(value, @"[\x00-\x1F\x7F]", "?"); + } + public string GetInstalledNpmPackages() { Logger.LogInformation("Checking installed npm global packages..."); From c8149d839777cbb294bb81c1ab91216d3a23e099 Mon Sep 17 00:00:00 2001 From: maliming Date: Sun, 5 Apr 2026 18:07:31 +0800 Subject: [PATCH 4/5] Tighten version regex, centralize package name validation, handle null, and add version tests --- .../ProjectModification/NpmPackagesUpdater.cs | 15 ++++---- .../Volo/Abp/Cli/Utils/NpmHelper.cs | 9 +++-- .../NpmPackagesUpdater_Tests.cs | 35 +++++++++++++++++++ 3 files changed, 51 insertions(+), 8 deletions(-) diff --git a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs index 18273053538..b9622850577 100644 --- a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs +++ b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs @@ -3,7 +3,6 @@ using System.Collections.Generic; using System.IO; using System.Linq; -using System.Text.RegularExpressions; using System.Threading.Tasks; using Microsoft.Extensions.Logging; using Microsoft.Extensions.Logging.Abstractions; @@ -379,13 +378,17 @@ protected virtual List GetAbpPackagesFromPackageJson(JObject fileObje return abpPackages; } - private static readonly Regex ValidNpmPackageNameRegex = new( - @"^@[a-zA-Z0-9][a-zA-Z0-9._-]*/[a-zA-Z0-9][a-zA-Z0-9._-]*$", - RegexOptions.Compiled); - public static bool IsValidNpmPackageName(string packageName) { - return ValidNpmPackageNameRegex.IsMatch(packageName); + try + { + NpmHelper.EnsureSafePackageName(packageName); + return true; + } + catch + { + return false; + } } protected virtual async Task RunInstallLibsAsync(string fileDirectory) diff --git a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs index 13069c6ae11..35bdf1dd37c 100644 --- a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs +++ b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/Utils/NpmHelper.cs @@ -85,12 +85,12 @@ public void YarnAddPackage(string package, string version, string directory) RegexOptions.Compiled); private static readonly Regex SafeVersionRegex = new( - @"^[a-zA-Z0-9._~^><=|\-+]+$", + @"^[a-zA-Z0-9._~^+\-]+$", RegexOptions.Compiled); public static void EnsureSafePackageName(string packageName) { - if (!SafePackageNameRegex.IsMatch(packageName)) + if (string.IsNullOrWhiteSpace(packageName) || !SafePackageNameRegex.IsMatch(packageName)) { throw new CliUsageException($"Invalid npm package name detected: {SanitizeForLog(packageName)}"); } @@ -106,6 +106,11 @@ public static void EnsureSafeVersion(string version) public static string SanitizeForLog(string value) { + if (value == null) + { + return "(null)"; + } + return Regex.Replace(value, @"[\x00-\x1F\x7F]", "?"); } diff --git a/framework/test/Volo.Abp.Cli.Core.Tests/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater_Tests.cs b/framework/test/Volo.Abp.Cli.Core.Tests/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater_Tests.cs index 8b37fe36f16..3d5edd6d89f 100644 --- a/framework/test/Volo.Abp.Cli.Core.Tests/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater_Tests.cs +++ b/framework/test/Volo.Abp.Cli.Core.Tests/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater_Tests.cs @@ -1,5 +1,6 @@ using Shouldly; using Volo.Abp.Cli.ProjectModification; +using Volo.Abp.Cli.Utils; using Xunit; namespace Volo.Abp.Cli; @@ -22,8 +23,42 @@ public class NpmPackagesUpdater_Tests [InlineData("@abp/ space", false)] [InlineData("@abp/", false)] [InlineData("@abp/ng core", false)] + [InlineData(null, false)] + [InlineData("", false)] public void IsValidNpmPackageName(string packageName, bool expected) { NpmPackagesUpdater.IsValidNpmPackageName(packageName).ShouldBe(expected); } + + [Theory] + [InlineData("1.0.0", false)] + [InlineData("^8.0.0", false)] + [InlineData("~8.0.0", false)] + [InlineData("8.0.0-preview.1", false)] + [InlineData("8.0.0-preview20260401", false)] + [InlineData("8.0.0+build.123", false)] + [InlineData("latest", false)] + [InlineData("next", false)] + [InlineData(null, false)] + [InlineData("", false)] + [InlineData("1.0.0 && calc.exe", true)] + [InlineData("1.0.0; rm -rf /", true)] + [InlineData("1.0.0 | curl evil.com", true)] + [InlineData("1.0.0`whoami`", true)] + [InlineData("1.0.0$(id)", true)] + [InlineData("1.0.0\nnewline", true)] + [InlineData(">1.0.0", true)] + [InlineData("<2.0.0", true)] + [InlineData("1.0.0|2.0.0", true)] + public void EnsureSafeVersion(string version, bool shouldThrow) + { + if (shouldThrow) + { + Should.Throw(() => NpmHelper.EnsureSafeVersion(version)); + } + else + { + Should.NotThrow(() => NpmHelper.EnsureSafeVersion(version)); + } + } } From 7cfa641befd2f226f9606e6c6798ca61426e3f35 Mon Sep 17 00:00:00 2001 From: maliming Date: Sun, 5 Apr 2026 18:13:52 +0800 Subject: [PATCH 5/5] Catch CliUsageException specifically in IsValidNpmPackageName --- .../Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs index b9622850577..9b7340fdd7d 100644 --- a/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs +++ b/framework/src/Volo.Abp.Cli.Core/Volo/Abp/Cli/ProjectModification/NpmPackagesUpdater.cs @@ -385,7 +385,7 @@ public static bool IsValidNpmPackageName(string packageName) NpmHelper.EnsureSafePackageName(packageName); return true; } - catch + catch (CliUsageException) { return false; }