Fix security issues and improve code quality based on review

Co-authored-by: hotlong <50353452+hotlong@users.noreply.github.com>

Author: Copilot

PLUGIN_SYSTEM.md

@@ -52,13 +52,13 @@ const myPlugin: PluginDefinition = {
 The `PluginSystem` class manages plugin loading, dependency resolution, and lifecycle:
 
 ```typescript
-import { PluginSystem } from '@object-ui/core';
+import { PluginSystem, ComponentRegistry } from '@object-ui/core';
 
 const pluginSystem = new PluginSystem();
 
-// Load plugins in dependency order
-await pluginSystem.loadPlugin(basePlugin);
-await pluginSystem.loadPlugin(dependentPlugin); // Requires basePlugin
+// Load plugins in dependency order (pass registry for component registration)
+await pluginSystem.loadPlugin(basePlugin, ComponentRegistry);
+await pluginSystem.loadPlugin(dependentPlugin, ComponentRegistry); // Requires basePlugin
 
 // Check plugin status
 if (pluginSystem.isLoaded('my-plugin')) {
@@ -84,19 +84,19 @@ await pluginSystem.loadPlugin({
   version: '1.0.0',
   dependencies: ['missing-plugin'], // Not loaded yet
   register: () => {}
-});
+}, ComponentRegistry);
 // Error: Missing dependency: missing-plugin required by dependent-plugin
 
 // ✅ Load in correct order
-await pluginSystem.loadPlugin(basePlugin);
-await pluginSystem.loadPlugin(dependentPlugin);
+await pluginSystem.loadPlugin(basePlugin, ComponentRegistry);
+await pluginSystem.loadPlugin(dependentPlugin, ComponentRegistry);
 ```
 
 The system also prevents unloading plugins that other plugins depend on:
 
 ```typescript
-await pluginSystem.loadPlugin(basePlugin);
-await pluginSystem.loadPlugin(dependentPlugin); // depends on basePlugin
+await pluginSystem.loadPlugin(basePlugin, ComponentRegistry);
+await pluginSystem.loadPlugin(dependentPlugin, ComponentRegistry); // depends on basePlugin
 
 // ❌ This will throw an error
 await pluginSystem.unloadPlugin('base-plugin');
@@ -357,8 +357,8 @@ const chartPluginDef = {
 const pluginSystem = new PluginSystem();
 
 async function initPlugins() {
-  await pluginSystem.loadPlugin(gridPluginDef);
-  await pluginSystem.loadPlugin(chartPluginDef);
+  await pluginSystem.loadPlugin(gridPluginDef, ComponentRegistry);
+  await pluginSystem.loadPlugin(chartPluginDef, ComponentRegistry);
 
   // All plugins are now registered and ready to use
   console.log('Loaded plugins:', pluginSystem.getLoadedPlugins());
@@ -387,7 +387,7 @@ interface PluginDefinition {
 
 ```typescript
 class PluginSystem {
-  loadPlugin(plugin: PluginDefinition): Promise<void>;
+  loadPlugin(plugin: PluginDefinition, registry: Registry): Promise<void>;
   unloadPlugin(name: string): Promise<void>;
   isLoaded(name: string): boolean;
   getPlugin(name: string): PluginDefinition | undefined;
@@ -452,9 +452,11 @@ If you're maintaining an existing plugin, here's how to migrate:
 
 2. **Use PluginSystem for dependency management:**
    ```typescript
+   import { ComponentRegistry } from '@object-ui/core';
+   
    const pluginSystem = new PluginSystem();
-   await pluginSystem.loadPlugin(basePlugin);
-   await pluginSystem.loadPlugin(featurePlugin);
+   await pluginSystem.loadPlugin(basePlugin, ComponentRegistry);
+   await pluginSystem.loadPlugin(featurePlugin, ComponentRegistry);
    ```
 
 ## Troubleshooting

packages/core/src/registry/PluginSystem.ts

@@ -25,9 +25,10 @@ export class PluginSystem {
   /**
    * Load a plugin into the system
    * @param plugin The plugin definition to load
+   * @param registry The component registry to use for registration
    * @throws Error if dependencies are missing
    */
-  async loadPlugin(plugin: PluginDefinition): Promise<void> {
+  async loadPlugin(plugin: PluginDefinition, registry: Registry): Promise<void> {
     // Check if already loaded
     if (this.loaded.has(plugin.name)) {
       console.warn(`Plugin "${plugin.name}" is already loaded. Skipping.`);
@@ -41,14 +42,23 @@ export class PluginSystem {
       }
     }
 
-    // Store plugin definition
-    this.plugins.set(plugin.name, plugin);
+    try {
+      // Execute registration
+      plugin.register(registry);
 
-    // Execute lifecycle hook
-    await plugin.onLoad?.();
+      // Store plugin definition
+      this.plugins.set(plugin.name, plugin);
+
+      // Execute lifecycle hook
+      await plugin.onLoad?.();
 
-    // Mark as loaded
-    this.loaded.add(plugin.name);
+      // Mark as loaded
+      this.loaded.add(plugin.name);
+    } catch (error) {
+      // Clean up on failure
+      this.plugins.delete(plugin.name);
+      throw error;
+    }
   }
 
   /**

packages/core/src/registry/__tests__/PluginSystem.test.ts

@@ -28,10 +28,11 @@ describe('PluginSystem', () => {
       }
     };
 
-    await pluginSystem.loadPlugin(plugin);
+    await pluginSystem.loadPlugin(plugin, registry);
 
     expect(pluginSystem.isLoaded('test-plugin')).toBe(true);
     expect(pluginSystem.getLoadedPlugins()).toContain('test-plugin');
+    expect(registry.has('test')).toBe(true);
   });
 
   it('should execute onLoad lifecycle hook', async () => {
@@ -43,7 +44,7 @@ describe('PluginSystem', () => {
       onLoad
     };
 
-    await pluginSystem.loadPlugin(plugin);
+    await pluginSystem.loadPlugin(plugin, registry);
 
     expect(onLoad).toHaveBeenCalledTimes(1);
   });
@@ -57,7 +58,7 @@ describe('PluginSystem', () => {
       onLoad
     };
 
-    await pluginSystem.loadPlugin(plugin);
+    await pluginSystem.loadPlugin(plugin, registry);
 
     expect(onLoad).toHaveBeenCalledTimes(1);
   });
@@ -71,8 +72,8 @@ describe('PluginSystem', () => {
       onLoad
     };
 
-    await pluginSystem.loadPlugin(plugin);
-    await pluginSystem.loadPlugin(plugin);
+    await pluginSystem.loadPlugin(plugin, registry);
+    await pluginSystem.loadPlugin(plugin, registry);
 
     expect(onLoad).toHaveBeenCalledTimes(1);
   });
@@ -85,7 +86,7 @@ describe('PluginSystem', () => {
       register: () => {}
     };
 
-    await expect(pluginSystem.loadPlugin(plugin)).rejects.toThrow(
+    await expect(pluginSystem.loadPlugin(plugin, registry)).rejects.toThrow(
       'Missing dependency: base-plugin required by dependent-plugin'
     );
   });
@@ -104,8 +105,8 @@ describe('PluginSystem', () => {
       register: () => {}
     };
 
-    await pluginSystem.loadPlugin(basePlugin);
-    await pluginSystem.loadPlugin(dependentPlugin);
+    await pluginSystem.loadPlugin(basePlugin, registry);
+    await pluginSystem.loadPlugin(dependentPlugin, registry);
 
     expect(pluginSystem.isLoaded('base-plugin')).toBe(true);
     expect(pluginSystem.isLoaded('dependent-plugin')).toBe(true);
@@ -120,7 +121,7 @@ describe('PluginSystem', () => {
       onUnload
     };
 
-    await pluginSystem.loadPlugin(plugin);
+    await pluginSystem.loadPlugin(plugin, registry);
     expect(pluginSystem.isLoaded('test-plugin')).toBe(true);
 
     await pluginSystem.unloadPlugin('test-plugin');
@@ -143,8 +144,8 @@ describe('PluginSystem', () => {
       register: () => {}
     };
 
-    await pluginSystem.loadPlugin(basePlugin);
-    await pluginSystem.loadPlugin(dependentPlugin);
+    await pluginSystem.loadPlugin(basePlugin, registry);
+    await pluginSystem.loadPlugin(dependentPlugin, registry);
 
     await expect(pluginSystem.unloadPlugin('base-plugin')).rejects.toThrow(
       'Cannot unload plugin "base-plugin" - plugin "dependent-plugin" depends on it'
@@ -164,7 +165,7 @@ describe('PluginSystem', () => {
       register: () => {}
     };
 
-    await pluginSystem.loadPlugin(plugin);
+    await pluginSystem.loadPlugin(plugin, registry);
 
     const retrieved = pluginSystem.getPlugin('test-plugin');
     expect(retrieved).toBe(plugin);
@@ -183,12 +184,41 @@ describe('PluginSystem', () => {
       register: () => {}
     };
 
-    await pluginSystem.loadPlugin(plugin1);
-    await pluginSystem.loadPlugin(plugin2);
+    await pluginSystem.loadPlugin(plugin1, registry);
+    await pluginSystem.loadPlugin(plugin2, registry);
 
     const allPlugins = pluginSystem.getAllPlugins();
     expect(allPlugins).toHaveLength(2);
     expect(allPlugins).toContain(plugin1);
     expect(allPlugins).toContain(plugin2);
   });
+
+  it('should call register function with registry', async () => {
+    const registerFn = vi.fn();
+    const plugin: PluginDefinition = {
+      name: 'test-plugin',
+      version: '1.0.0',
+      register: registerFn
+    };
+
+    await pluginSystem.loadPlugin(plugin, registry);
+    
+    expect(registerFn).toHaveBeenCalledWith(registry);
+    expect(registerFn).toHaveBeenCalledTimes(1);
+  });
+
+  it('should cleanup on registration failure', async () => {
+    const plugin: PluginDefinition = {
+      name: 'failing-plugin',
+      version: '1.0.0',
+      register: () => {
+        throw new Error('Registration failed');
+      }
+    };
+
+    await expect(pluginSystem.loadPlugin(plugin, registry)).rejects.toThrow('Registration failed');
+    
+    expect(pluginSystem.isLoaded('failing-plugin')).toBe(false);
+    expect(pluginSystem.getPlugin('failing-plugin')).toBeUndefined();
+  });
 });

packages/create-plugin/src/index.ts

@@ -34,7 +34,18 @@ async function createPlugin(pluginName?: string, options: PluginOptions = {}) {
       type: 'text',
       name: 'name',
       message: 'Plugin name (without prefix):',
-      validate: (value) => value.length > 0 || 'Plugin name is required'
+      validate: (value) => {
+        if (value.length === 0) return 'Plugin name is required';
+        // Validate package name format
+        if (!/^[a-z0-9-]+$/.test(value)) {
+          return 'Plugin name must contain only lowercase letters, numbers, and hyphens';
+        }
+        // Prevent path traversal
+        if (value.includes('..') || value.includes('/') || value.includes('\\')) {
+          return 'Plugin name cannot contain path separators or ".."';
+        }
+        return true;
+      }
     });
     pluginName = response.name;
 
@@ -44,11 +55,29 @@ async function createPlugin(pluginName?: string, options: PluginOptions = {}) {
     }
   }
 
+  // Validate plugin name format and security
+  if (!/^[a-z0-9-]+$/.test(pluginName)) {
+    console.log(chalk.red('\n❌ Plugin name must contain only lowercase letters, numbers, and hyphens'));
+    process.exit(1);
+  }
+  
+  if (pluginName.includes('..') || pluginName.includes('/') || pluginName.includes('\\') || path.isAbsolute(pluginName)) {
+    console.log(chalk.red('\n❌ Invalid plugin name: path traversal detected'));
+    process.exit(1);
+  }
+
   // Ensure plugin name doesn't include the plugin- prefix
-  const cleanName = pluginName.replace(/^plugin-/, '');
+  const cleanName = pluginName.replace(/^plugin-/, '').replace(/^-+|-+$/g, '').replace(/-{2,}/g, '-');
+  
+  if (cleanName.length === 0) {
+    console.log(chalk.red('\n❌ Plugin name cannot be empty after sanitization'));
+    process.exit(1);
+  }
+  
   const fullPackageName = `plugin-${cleanName}`;
   const pascalCaseName = cleanName
     .split('-')
+    .filter(part => part.length > 0)
     .map(part => part.charAt(0).toUpperCase() + part.slice(1))
     .join('');
 

packages/react/src/LazyPluginLoader.tsx

@@ -36,15 +36,17 @@ export interface LazyPluginOptions {
  * );
  * ```
  */
-export function createLazyPlugin<P = any>(
+export function createLazyPlugin<P extends object = any>(
   importFn: () => Promise<{ default: React.ComponentType<P> }>,
   options?: LazyPluginOptions
 ): React.ComponentType<P> {
   const LazyComponent = lazy(importFn);
 
-  return (props: P) => (
+  const PluginWrapper: React.FC<P> = (props) => (
     <Suspense fallback={options?.fallback || null}>
-      <LazyComponent {...(props as any)} />
+      <LazyComponent {...props} />
     </Suspense>
   );
+  
+  return PluginWrapper;
 }