Merge pull request #2204 from tvdeyen/install-correct-npm-package

Install correct npm package
AlchemyCMS · Oct 27, 2021 · 88e3222 · 88e3222
2 parents aad1262 + 1d607f1
commit 88e3222
Show file tree

Hide file tree

Showing 4 changed files with 39 additions and 6 deletions.
diff --git a/config/brakeman.ignore b/config/brakeman.ignore
@@ -58,7 +58,7 @@
       "check_name": "MassAssignment",
       "message": "Specify exact keys allowed for mass assignment instead of using `permit!` which allows any keys",
       "file": "app/controllers/alchemy/admin/resources_controller.rb",
-      "line": 136,
+      "line": 209,
       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
       "code": "params.require(resource_handler.namespaced_resource_name).permit!",
       "render_path": null,
@@ -86,7 +86,7 @@
           "type": "controller",
           "class": "Alchemy::Admin::ElementsController",
           "method": "fold",
-          "line": 97,
+          "line": 102,
           "file": "app/controllers/alchemy/admin/elements_controller.rb",
           "rendered": {
             "name": "alchemy/admin/elements/fold",
@@ -109,7 +109,7 @@
       "check_name": "MassAssignment",
       "message": "Specify exact keys allowed for mass assignment instead of using `permit!` which allows any keys",
       "file": "app/controllers/alchemy/admin/elements_controller.rb",
-      "line": 150,
+      "line": 155,
       "link": "https://brakemanscanner.org/docs/warning_types/mass_assignment/",
       "code": "params.fetch(:contents, {}).permit!",
       "render_path": null,
@@ -122,6 +122,26 @@
       "confidence": "Medium",
       "note": "`Alchemy::Content` is a polymorphic association of any kind of model extending `Alchemy::Essence`. Since we can't know the attributes of all potential essences we need to permit all attributes. As this all happens inside the password protected /admin namespace this can be considered a false positive."
     },
+    {
+      "warning_type": "Command Injection",
+      "warning_code": 14,
+      "fingerprint": "6addfcb9d23d2d6f699f2f3542169744ff749dc4d0a97f8ac783ab92593e1d84",
+      "check_name": "Execute",
+      "message": "Possible command injection",
+      "file": "lib/alchemy/upgrader.rb",
+      "line": 30,
+      "link": "https://brakemanscanner.org/docs/warning_types/command_injection/",
+      "code": "`yarn add @alchemy_cms/admin@~#{Alchemy.version}`",
+      "render_path": null,
+      "location": {
+        "type": "method",
+        "class": "Alchemy::Upgrader",
+        "method": "update_npm_package"
+      },
+      "user_input": "Alchemy.version",
+      "confidence": "Medium",
+      "note": "The alchemy version is safe"
+    },
     {
       "warning_type": "Cross-Site Scripting",
       "warning_code": 4,
@@ -255,6 +275,6 @@
       "note": ""
     }
   ],
-  "updated": "2021-06-29 20:56:10 +0200",
-  "brakeman_version": "5.0.1"
+  "updated": "2021-10-26 21:44:59 +0200",
+  "brakeman_version": "5.1.1"
 }
diff --git a/lib/alchemy/upgrader.rb b/lib/alchemy/upgrader.rb
@@ -24,6 +24,12 @@ def copy_new_config_file
           todo "Check the default configuration file (./config/alchemy/config.yml.defaults) for new configuration options and insert them into your config file.", "Configuration has changed"
         end
       end
+
+      def update_npm_package
+        desc "Install new npm package."
+        `yarn add @alchemy_cms/admin@~#{Alchemy.version}`
+        log "Installed new npm package."
+      end
     end
   end
 end
diff --git a/lib/generators/alchemy/install/install_generator.rb b/lib/generators/alchemy/install/install_generator.rb
@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 require "rails/generators"
 require "alchemy/install/tasks"
+require "alchemy/version"
 
 module Alchemy
   module Generators
@@ -88,7 +89,7 @@ def run_webpacker_installer
       end
 
       def add_npm_package
-        run "yarn add @alchemy_cms/admin"
+        run "yarn add @alchemy_cms/admin@~#{Alchemy.version}"
       end
 
       def copy_alchemy_entry_point

diff --git a/lib/tasks/alchemy/upgrade.rake b/lib/tasks/alchemy/upgrade.rake
@@ -17,6 +17,7 @@ namespace :alchemy do
     task prepare: [
       "alchemy:upgrade:database",
       "alchemy:upgrade:config",
+      "alchemy:upgrade:package",
     ]
 
     desc "Alchemy Upgrader: Prepares the database."
@@ -30,6 +31,11 @@ namespace :alchemy do
       Alchemy::Upgrader.copy_new_config_file
     end
 
+    desc "Alchemy Upgrader: Install new Node package."
+    task package: [:environment] do
+      Alchemy::Upgrader.update_npm_package
+    end
+
     desc "Upgrade Alchemy to v5.0"
     task "5.0" => [
       "alchemy:upgrade:prepare",