d8dfun/claudecodeui
1
0
Fork 0
mirror of https://github.com/siteboon/claudecodeui.git synced 2026-03-14 02:17:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(plugins): harden path traversal and respect enabled state

Browse Source 
Use realpathSync to canonicalize paths before the plugin asset
boundary check, preventing symlink-based traversal bypasses that
could escape the plugin directory.

PluginTabContent now guards on plugin.enabled before mounting the
plugin module, and re-mounts when the enabled state changes so
toggling a plugin takes effect without a page reload.

PluginIcon safely handles a missing iconFile prop and skips
processing non-OK fetch responses instead of attempting to parse
error bodies as SVG.

Register 'plugins' as a known main tab so the settings router
preserves the tab on navigation.
This commit is contained in:
simosmik
2026-03-09 06:49:51 +00:00
parent a7e8b12ef4
commit efdee162c9
9 changed files with 29 additions and 18 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
src/components/plugins/PluginTabContent.tsx
View File

@@ -60,7 +60,7 @@ export default function PluginTabContent({
}, [isDarkMode, selectedProject, selectedSession]);
useEffect(() => {
if (!containerRef.current) return;
if (!containerRef.current || !plugin?.enabled) return;
let active = true;
const container = containerRef.current;
@@ -120,7 +120,7 @@ export default function PluginTabContent({
contextCallbacksRef.current.clear();
moduleRef.current = null;
};
}, [pluginName, plugin?.entry]); // re-mount only when the plugin itself changes
}, [pluginName, plugin?.entry, plugin?.enabled]); // re-mount when plugin or enabled state changes
return <div ref={containerRef} className="h-full w-full overflow-auto" />;
}