From 027a93785ebf6c6e451939a79cdb57cd58e5d851 Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 8 Dec 2023 15:50:46 +0100 Subject: [PATCH 1/2] feat: hardened JSON imports Signed-off-by: Jan Kowalleck --- HISTORY.md | 5 +++++ src/_helpers.ts | 11 +++++++++-- src/plugin.ts | 7 +++---- 3 files changed, 17 insertions(+), 6 deletions(-) diff --git a/HISTORY.md b/HISTORY.md index 3f65ada3..bab5ccb5 100644 --- a/HISTORY.md +++ b/HISTORY.md @@ -4,6 +4,11 @@ All notable changes to this project will be documented in this file. ## unreleased +* Changed + * Hardened JSON imports (via [#1242]) + +[#1242]: https://github.com/CycloneDX/cyclonedx-webpack-plugin/pull/1242 + ## 3.8.3 - 2023-12-01 * Build diff --git a/src/_helpers.ts b/src/_helpers.ts index bb10cc73..82462721 100644 --- a/src/_helpers.ts +++ b/src/_helpers.ts @@ -17,7 +17,7 @@ SPDX-License-Identifier: Apache-2.0 Copyright (c) OWASP Foundation. All Rights Reserved. */ -import { existsSync } from 'fs' +import { existsSync, readFileSync } from 'fs' import { dirname, isAbsolute, join } from 'path' export interface PackageDescription { @@ -32,7 +32,7 @@ export function getPackageDescription (path: string): PackageDescription | undef try { return { path: packageJson, - packageJson: require(packageJson) + packageJson: loadJsonFile(packageJson) } } catch { return undefined @@ -47,3 +47,10 @@ export function getPackageDescription (path: string): PackageDescription | undef } return undefined } + +export function loadJsonFile (path: string): any { + return JSON.parse(readFileSync(path, 'utf8')) + // may be replaced by `require(f, { with: { type: "json" } })` + // as soon as this spec is properly implemented. + // see https://github.com/tc39/proposal-import-attributes +} diff --git a/src/plugin.ts b/src/plugin.ts index ad60b146..7febdc5f 100644 --- a/src/plugin.ts +++ b/src/plugin.ts @@ -23,7 +23,7 @@ import * as normalizePackageJson from 'normalize-package-data' import { join as joinPath, resolve } from 'path' import { Compilation, type Compiler, sources } from 'webpack' -import { getPackageDescription } from './_helpers' +import { getPackageDescription, loadJsonFile } from './_helpers' import { Extractor } from './extractor' type WebpackLogger = Compilation['logger'] @@ -334,7 +334,7 @@ export class CycloneDxWebpackPlugin { * #makeTools (builder: CDX.Builders.FromNodePackageJson.ToolBuilder, logger: WebpackLogger): Generator { /* eslint-disable-next-line @typescript-eslint/no-var-requires */ - const packageJsonPaths = ['../package.json'] + const packageJsonPaths = [resolve(module.path, '..', 'package.json')] const libs = [ '@cyclonedx/cyclonedx-library' @@ -355,8 +355,7 @@ export class CycloneDxWebpackPlugin { for (const packageJsonPath of packageJsonPaths) { logger.log('try to build new Tool from PkgPath', packageJsonPath) - /* eslint-disable-next-line @typescript-eslint/no-var-requires */ - const packageJson = require(packageJsonPath) + const packageJson = loadJsonFile(packageJsonPath) normalizePackageJson(packageJson, w => { logger.debug('normalizePackageJson from PkgPath', packageJsonPath, 'caused:', w) }) const tool = builder.makeTool(packageJson) if (tool !== undefined) { From 54b9aa2ab8b542b82cf196236d100a0b0f69810a Mon Sep 17 00:00:00 2001 From: Jan Kowalleck Date: Fri, 8 Dec 2023 15:55:39 +0100 Subject: [PATCH 2/2] tidy Signed-off-by: Jan Kowalleck --- src/plugin.ts | 1 - 1 file changed, 1 deletion(-) diff --git a/src/plugin.ts b/src/plugin.ts index 7febdc5f..fcdb612c 100644 --- a/src/plugin.ts +++ b/src/plugin.ts @@ -333,7 +333,6 @@ export class CycloneDxWebpackPlugin { } * #makeTools (builder: CDX.Builders.FromNodePackageJson.ToolBuilder, logger: WebpackLogger): Generator { - /* eslint-disable-next-line @typescript-eslint/no-var-requires */ const packageJsonPaths = [resolve(module.path, '..', 'package.json')] const libs = [