diff --git a/packages/server/src/api/controllers/plugin.ts b/packages/server/src/api/controllers/plugin.ts index eeae71b6f9..8e18d549df 100644 --- a/packages/server/src/api/controllers/plugin.ts +++ b/packages/server/src/api/controllers/plugin.ts @@ -1,11 +1,11 @@ import { ObjectStoreBuckets } from "../../constants" import { extractPluginTarball, - createNpmPlugin, createUrlPlugin, createGithubPlugin, loadJSFile, } from "../../utilities/fileSystem" +import { createNpmPlugin } from "./plugin/utils" import { getGlobalDB } from "@budibase/backend-core/tenancy" import { generatePluginID, getPluginParams } from "../../db/utils" import { @@ -148,7 +148,7 @@ export async function storePlugin( // TODO: this isn't safe - but we need full node environment // in future we should do this in a thread for safety try { - //eval(js) + eval(js) } catch (err: any) { const message = err?.message ? err.message : JSON.stringify(err) throw new Error(`JS invalid: ${message}`) diff --git a/packages/server/src/api/controllers/plugin/utils.js b/packages/server/src/api/controllers/plugin/utils.js new file mode 100644 index 0000000000..3227a91a98 --- /dev/null +++ b/packages/server/src/api/controllers/plugin/utils.js @@ -0,0 +1,32 @@ +const fetch = require("node-fetch") +import { downloadUnzipPlugin } from "../../../utilities/fileSystem" + +export const createNpmPlugin = async (url, name = "") => { + let npmTarball = url + let pluginName = name + + if ( + !npmTarball.includes("https://www.npmjs.com") && + !npmTarball.includes("https://registry.npmjs.org") + ) { + throw "The plugin origin must be from NPM" + } + + if (!npmTarball.includes(".tgz")) { + const npmPackageURl = url.replace( + "https://www.npmjs.com/package/", + "https://registry.npmjs.org/" + ) + const response = await fetch(npmPackageURl) + if (response.status === 200) { + let npmDetails = await response.json() + pluginName = npmDetails.name + const npmVersion = npmDetails["dist-tags"].latest + npmTarball = npmDetails.versions[npmVersion].dist.tarball + } else { + throw "Cannot get package details" + } + } + + return await downloadUnzipPlugin(pluginName, npmTarball) +} diff --git a/packages/server/src/utilities/fileSystem/index.js b/packages/server/src/utilities/fileSystem/index.js index 92d3808a3d..7bbf1db425 100644 --- a/packages/server/src/utilities/fileSystem/index.js +++ b/packages/server/src/utilities/fileSystem/index.js @@ -360,29 +360,6 @@ const extractPluginTarball = async (file, ext = ".tar.gz") => { } exports.extractPluginTarball = extractPluginTarball -exports.createNpmPlugin = async (url, name = "") => { - let npmTarball = url - let pluginName = name - - if (!npmTarball.includes(".tgz")) { - const npmPackageURl = url.replace( - "https://www.npmjs.com/package/", - "https://registry.npmjs.org/" - ) - const response = await fetch(npmPackageURl) - if (response.status === 200) { - let npmDetails = await response.json() - pluginName = npmDetails.name - const npmVersion = npmDetails["dist-tags"].latest - npmTarball = npmDetails.versions[npmVersion].dist.tarball - } else { - throw "Cannot get package details" - } - } - - return await downloadUnzipPlugin(pluginName, npmTarball) -} - exports.createUrlPlugin = async (url, name = "", headers = {}) => { if (!url.includes(".tgz") && !url.includes(".tar.gz")) { throw new Error("Plugin must be compressed into a gzipped tarball.")