Plugin Repo: Prevent plugin authors from marking their own plugins as recommended (#9462)

packages/plugin-repo-cli/lib/validateUntrustedManifest.test.ts

@@ -0,0 +1,96 @@
+
+import validateUntrustedManifest from './validateUntrustedManifest';
+
+const originalManifests = {
+	'joplin-plugin.this.is.a.test': {
+		id: 'joplin-plugin.this.is.a.test',
+		_npm_package_name: 'joplin-plugin-this-is-a-test',
+		version: '0.0.1',
+	},
+};
+
+// Note: Most of the checks below have additional tests in other files.
+// This test suite is primarily to ensure that the checks are present.
+
+describe('validateUntrustedManifest', () => {
+	test('should only allow valid plugin IDs', () => {
+		const badManifest = {
+			id: 'bad',
+			_npm_package_name: 'joplin-plugin-test',
+			version: '1.2.34',
+		};
+
+		expect(
+			() => validateUntrustedManifest(badManifest, originalManifests),
+		).toThrow('ID cannot be shorter than');
+
+
+		const goodManifest = {
+			...badManifest,
+			id: 'this.plugin.has.a.better.id',
+		};
+
+		expect(
+			() => validateUntrustedManifest(goodManifest, originalManifests),
+		).not.toThrow();
+	});
+
+	test('should only allow valid plugin versions', () => {
+		const badManifest = {
+			id: 'joplin-plugin.this.is.a.test',
+			_npm_package_name: 'joplin-plugin-this-is-a-test',
+			version: 'bad!',
+		};
+
+		expect(
+			() => validateUntrustedManifest(badManifest, originalManifests),
+		).toThrow();
+
+
+		const goodManifest = {
+			...badManifest,
+			version: '0.0.2',
+		};
+
+		expect(
+			() => validateUntrustedManifest(goodManifest, originalManifests),
+		).not.toThrow();
+	});
+
+	test('should not allow plugin authors to mark their own plugins as recommended', () => {
+		const newManifest1 = {
+			id: 'joplin-plugin.this.is.another.test',
+			_recommended: true,
+			_npm_package_name: 'joplin-plugin-another-test',
+			version: '1.2.3',
+		};
+
+		expect(
+			() => validateUntrustedManifest(newManifest1, originalManifests),
+		).toThrow('mark itself as recommended');
+
+		// Should also throw for falsey values
+		const newManifest2 = {
+			id: 'joplin-plugin.yet.another.test',
+			_recommended: '',
+			_npm_package_name: 'another-test',
+			version: '1.2.3',
+		};
+
+		expect(
+			() => validateUntrustedManifest(newManifest2, originalManifests),
+		).toThrow('mark itself as recommended');
+	});
+
+	test('should not allow changing the NPM package for an existing plugin', () => {
+		const newManifest = {
+			id: 'joplin-plugin.this.is.a.test',
+			_npm_package_name: 'joplin-plugin-test',
+			version: '0.0.2',
+		};
+
+		expect(
+			() => validateUntrustedManifest(newManifest, originalManifests),
+		).toThrow();
+	});
+});

packages/plugin-repo-cli/lib/validateUntrustedManifest.ts

@@ -0,0 +1,29 @@
+import validatePluginId from '@joplin/lib/services/plugins/utils/validatePluginId';
+import validatePluginVersion from '@joplin/lib/services/plugins/utils/validatePluginVersion';
+import checkIfPluginCanBeAdded from './checkIfPluginCanBeAdded';
+
+// Assumes that
+// 1. manifest._npm_package_name is correct,
+// 2. other fields were set by the plugin author and are thus untrusted.
+const validateUntrustedManifest = (manifest: any, existingManifests: any) => {
+	// At this point, we need to check the manifest ID as it's used in various
+	// places including as directory name and object key in manifests.json, so
+	// it needs to be correct. It's mostly for security reasons. The other
+	// manifest properties are checked when the plugin is loaded into the app.
+	validatePluginId(manifest.id);
+	validatePluginVersion(manifest.version);
+
+	// This prevents a plugin author from marking their own plugin as _recommended
+	// or _built_in.
+	if (typeof manifest._recommended !== 'undefined') {
+		throw new Error(`Plugin ${manifest.id} cannot mark itself as recommended.`);
+	}
+
+	if (typeof manifest._built_in !== 'undefined') {
+		throw new Error(`Plugin ${manifest.id} cannot mark itself as built-in.`);
+	}
+
+	checkIfPluginCanBeAdded(existingManifests, manifest);
+};
+
+export default validateUntrustedManifest;