feat: add project write path security guard, macOS SDK auto-detection, and walkthrough improvements#304
feat: add project write path security guard, macOS SDK auto-detection, and walkthrough improvements#304Lightning-Lion wants to merge 1 commit into
Conversation
|
Groupguanfang
left a comment
Groupguanfang
left a comment
There was a problem hiding this comment.
请修复comments中提到的问题,并且修复CI/CD中的报错
There was a problem hiding this comment.
怎么把之前do while的逻辑重新提上来了呢?此处不应该出现do while,否则对话框将永远关不掉了;在提交commit前,请先同步rebase到最新的next分支。
There was a problem hiding this comment.
这个文件的修改不要再加上来了, feat(vscode): Add a help button in the language server error dialog box 这个commit本身早就已经merge了(见:00e9bf2 )
|
|
||
| // 测试系统路径拦截:文件系统根、DevEcoStudioProjects 根、/etc 系统目录、Home 目录根均应被拒绝 | ||
| it('rejects filesystem root and system directories', () => { | ||
| expect(() => assertWritableProjectDirectoryPath('/', '/Users/shulk')).toThrow(ProjectWritePathError) |
There was a problem hiding this comment.
home根目录的测试可以使用 os.homedir() 获取:
import os from 'node:os';
os.homedir();| import type { IOnActivate, Translator } from 'unioc/vscode' | ||
| import type { FileSystemContext } from './file-system-context' | ||
| // [新增] fs 模块用于检测 DevEco Studio SDK 路径(macOS 自动检测功能) | ||
| import fs from 'node:fs' |
There was a problem hiding this comment.
目前最新的next分支中几乎没有了任何import fs from 'node:fs',由于这是vscode插件,未来我打算添加vscode web的支持,请使用import * as vscode from 'vscode'中的fs,而非node的fs。
| /** | ||
| * [新增] 校验 SDK 目录结构是否完整,返回缺失子目录的名称列表(逗号分隔),合法时返回 undefined。 | ||
| * 必须包含: ets, js, native, toolchains, previewer 五个核心子目录。 | ||
| */ |
There was a problem hiding this comment.
不一定必须包含这些子目录:OpenHarmony SDK是允许这些目录不存在(允许按需下载某个SDK版本的一部分),在我们的插件中,实际上用到的仅有ets文件夹,我们只要确保该文件夹存在即可;
我建议可以通过检测是否存在ets文件夹,并且里面是否存在oh-uni-package.json文件的形式来校验SDK是否可用,这样的方案成本最低。
| import * as vscode from 'vscode' | ||
| import { ProtocolContext } from '../../context/protocol-context' | ||
| import { InitialCallbackEvent } from '../../context/webview-context' | ||
| // [新增] 项目写入路径安全工具: |
| title: this.translator.t('project.templateMarket.extracting'), | ||
| cancellable: false, | ||
| }, async () => { | ||
| if (!fs.existsSync(uri.fsPath)) fs.mkdirSync(uri.fsPath, { recursive: true }) |
There was a problem hiding this comment.
另外,同上一样,这里漏掉了改为使用 vscode.workspace.fs 的环节,如果可以的话这里也顺带改成 vscode.workspace.fs 进行文件操作,去除此文件中使用 node:fs 进行读写文件系统的操作。
There was a problem hiding this comment.
此文件看能否也尽量使用vscode提供的vscode.workspace.fs 去访问文件系统,使用vscode提供的 vscode.Uri 工具拼接路径字符串,而非使用node中的API(node:os模块除外,此为node才有,后续我处理vscode web的时候再打算)
| * | ||
| * 调用方:project-configuration.ts(前端表单校验)、project-server-function.ts(服务端写入前校验) | ||
| */ | ||
| import path from 'node:path' |
There was a problem hiding this comment.
此文件看能否也尽量使用vscode提供的 vscode.Uri 工具拼接路径字符串,而非使用node中的API。
@arkts/language-plugin
@arkts/language-server
@arkts/language-service
@arkts/shared
@arkts/types
@arkts/vfs
commit: |
There was a problem hiding this comment.
这个文件的修改不要再加上来了, feat(vscode): Add a help button in the language server error dialog box 这个commit本身早就已经merge了(见:00e9bf2 )
There was a problem hiding this comment.
这个文件的修改不要再加上来了, feat(vscode): Add a help button in the language server error dialog box 这个commit本身早就已经merge了(见:00e9bf2 )
There was a problem hiding this comment.
这个文件的修改不要再加上来了, feat(vscode): Add a help button in the language server error dialog box 这个commit本身早就已经merge了(见:00e9bf2 )
头两个 commit 请不要再提上来 |
好的,我已做好,请求审查 |
| "build": "tsx scripts/build.ts", | ||
| "watch": "tsx scripts/watch.ts", | ||
| "pack": "tsx scripts/pre-process.ts && pnpm run build && vsce package", | ||
| "pack": "tsx scripts/pre-process.ts && pnpm run build && vsce package --no-dependencies", |
There was a problem hiding this comment.
请检查当前构建,CI上编译出来的.vsix工件下载下来测试过了吗?修改后的插件无法正常启用,扩展宿主出错(已去除敏感信息):
2026-06-07 14:32:35.795 [info] Extension activation failure: NailyZero.vscode-naily-ets
2026-06-07 14:32:35.798 [error] Activating extension NailyZero.vscode-naily-ets failed due to an error:
2026-06-07 14:32:35.798 [error] Error: Cannot find module '@arkts/project-detector'
Require stack:
- <extension-dist>/src-iAKTVPdD.js
- <extension-dist>/client.js
- <vscode-extension-host>/extensionHostProcess.js
at Module._resolveFilename (node:internal/modules/cjs/loader:1390:15)
at n._resolveFilename (node:electron/js2c/utility_init:2:16319)
at e._resolveFilename (file:///<vscode-extension-host>/extensionHostProcess.js:224:32911)
at defaultResolveImpl (node:internal/modules/cjs/loader:1032:19)
at resolveForCJSWithHooks (node:internal/modules/cjs/loader:1037:22)
at Module._load (node:internal/modules/cjs/loader:1199:37)
at c._load (node:electron/js2c/node_init:2:17993)
at s._load (file:///<vscode-extension-host>/extensionHostProcess.js:683:2688)
at e._load (file:///<vscode-extension-host>/extensionHostProcess.js:224:32629)
at r._load (file:///<vscode-extension-host>/extensionHostProcess.js:216:26895)
at TracingChannel.traceSync (node:diagnostics_channel:328:14)
at wrapModuleLoad (node:internal/modules/cjs/loader:244:24)
at Module.require (node:internal/modules/cjs/loader:1470:12)
at require (node:internal/modules/helpers:147:16)
at Object.<anonymous> (<extension-dist>/src-iAKTVPdD.js:1:180)
at Module._compile (node:internal/modules/cjs/loader:1713:14)
at Module._extensions..js (node:internal/modules/cjs/loader:1847:10)
at Module.load (node:internal/modules/cjs/loader:1448:32)
at Module._load (node:internal/modules/cjs/loader:1270:12)
at c._load (node:electron/js2c/node_init:2:17993)
at s._load (file:///<vscode-extension-host>/extensionHostProcess.js:683:2688)
at e._load (file:///<vscode-extension-host>/extensionHostProcess.js:224:32629)
at r._load (file:///<vscode-extension-host>/extensionHostProcess.js:216:26895)
at TracingChannel.traceSync (node:diagnostics_channel:328:14)
at wrapModuleLoad (node:internal/modules/cjs/loader:244:24)
at Module.require (node:internal/modules/cjs/loader:1470:12)
at require (node:internal/modules/helpers:147:16)
at Object.<anonymous> (<extension-dist>/client.js:1:42)
at Module._compile (node:internal/modules/cjs/loader:1713:14)
at Module._extensions..js (node:internal/modules/cjs/loader:1847:10)
at Module.load (node:internal/modules/cjs/loader:1448:32)
at Module._load (node:internal/modules/cjs/loader:1270:12)
at c._load (node:electron/js2c/node_init:2:17993)
at s._load (file:///<vscode-extension-host>/extensionHostProcess.js:683:2688)
at e._load (file:///<vscode-extension-host>/extensionHostProcess.js:224:32629)
at r._load (file:///<vscode-extension-host>/extensionHostProcess.js:216:26895)
at TracingChannel.traceSync (node:diagnostics_channel:328:14)
at wrapModuleLoad (node:internal/modules/cjs/loader:244:24)
at Module.require (node:internal/modules/cjs/loader:1470:12)
at require (node:internal/modules/helpers:147:16)
at Prn._doLoadModule (file:///<vscode-extension-host>/extensionHostProcess.js:262:2141)
2026-06-07 14:32:50.096 [warning] TextEditor is closed/disposed
我认为是你加了--no-dependencies导致。请问此PR中还加了任何其他.node依赖么?如果不存在,请将此--no-dependencies去掉,改回使用拷贝的方式构建插件的node_modules并且让vsce进行打包。
插件的构建结果可以从当前PR的CI中下载,选择您电脑对应的平台/架构即可,然后可以直接安装到您的vscode/vscode like IDE:
2 participants
🛡️ Project Write Path Security Guard
引入
project-write-path-guard和project-write-path-fs两个新模块,为项目创建和模板解压提供写入路径安全保障:Windows、Program Files等)、Unix 系统目录(/etc、/usr、/bin、/System等)以及用户 Home 根目录写入项目../目录遍历等恶意条目相关文件:
packages/vscode/src/utils/project-write-path-guard.tspackages/vscode/src/utils/project-write-path-fs.tspackages/vscode/test/project-write-path-guard.test.ts重构了
project-server-function.ts中的downloadAndExtractTemplate和createProject方法,将原先直接调用fs.mkdirSync/fs.writeFileSync改为"收集 → 批量校验 → 排他写入"的安全流程。🍎 macOS SDK 自动检测
在 SDK 路径选择对话框中新增「使用默认(自动从 DevEco Studio 检测)」按钮(仅 macOS),一键从
/Applications/DevEco Studio.app中提取内置的 OpenHarmony SDK 路径,并自动校验目录结构完整性(ets、js、native、toolchains、previewer五个核心子目录)。相关文件:
packages/vscode/src/context/server-context.ts🚶 Walkthrough 改进
新增「创建 ArkTS 项目」Walkthrough 步骤,引导用户完成环境设置后直接创建项目。
相关文件:
packages/vscode/package.jsonpackages/vscode/assets/create-project.mdpackages/vscode/assets/create-project.zh-cn.md✨ 项目创建 UX 优化
homeDirectory和项目名称自动填充~/DevEcoStudioProjects/<projectName>,用户修改项目名时自动同步;仅在用户未手动选择路径时才覆盖homeDirectory异步获取期间创建按钮显示 loading 并禁用,防止数据未就绪时提交相关文件:
packages/vscode/src/frontend/composables/project-configuration.tspackages/vscode/src/frontend/pages/project/index.vue📝 文档改进
CONTRIBUTING.md:新增 pnpm 严格隔离模式下依赖声明的注意事项,优化调试启动步骤说明README.md/README-en.md:新增「参与开发」/「Contributing」区块链接到 CONTRIBUTING.md;修复英文文档中一处中文描述📦 依赖更新
@types/vscode:1.116.0→1.120.0packages/vscode:新增volar-service-typescript依赖(与nodeLinker: isolated下的运行时解析需求一致)