From 35876fb34cc94ab9dacd47a327c73981cab15157 Mon Sep 17 00:00:00 2001 From: Anders Evenrud Date: Fri, 10 Apr 2020 22:58:04 +0200 Subject: [PATCH] Only allow user packages on system VFS (#28) --- src/packages.js | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/packages.js b/src/packages.js index e02814a..5cdf1e8 100644 --- a/src/packages.js +++ b/src/packages.js @@ -31,8 +31,9 @@ const fs = require('fs-extra'); const fg = require('fast-glob'); const path = require('path'); -const Package = require('./package.js'); const consola = require('consola'); +const Package = require('./package.js'); +const {getPrefix} = require('./utils/vfs.js'); const logger = consola.withTag('Packages'); const relative = filename => filename.replace(process.cwd(), ''); @@ -155,11 +156,17 @@ class Packages { * @return {Package[]} List of packages */ async readPackageManifests(paths, user) { - const {realpath} = this.core.make('osjs/vfs'); + const {realpath, mountpoints} = this.core.make('osjs/vfs'); const {manifestFile} = this.options; const systemManifest = await readOrDefault(manifestFile); - const userManifests = await Promise.all(paths.map(async p => { + const isValidVfs = p => { + const prefix = getPrefix(p); + const mount = mountpoints.find(m => m.name === prefix); + return mount && mount.attributes.root; + }; + + const userManifests = await Promise.all(paths.filter(isValidVfs).map(async p => { const real = await realpath(`${p}/metadata.json`, user); const list = await readOrDefault(real);