From 942fb095b632fd474bff323aadb2c6cc23f97525 Mon Sep 17 00:00:00 2001 From: ZXED Date: Sun, 23 Jun 2024 14:41:23 +0300 Subject: [PATCH] Only allow pub.dev as Dart package repository Because arbitrary URLs can point to non-pub compatible websites --- lib/package_managers/pub.dart | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/lib/package_managers/pub.dart b/lib/package_managers/pub.dart index 5b482b8..4841788 100644 --- a/lib/package_managers/pub.dart +++ b/lib/package_managers/pub.dart @@ -18,7 +18,7 @@ class PubLockEntry extends LockEntry { required this.pubUrl }); - final String pubUrl; + final String? pubUrl; } class PubPackage extends Package { @@ -132,9 +132,11 @@ class Pub extends PackageManager { var isDev = dependencyFlags.contains('dev'); var packageName = packageItem.key; var packageMap = packageItem.value; - String pubUrl; + String? pubUrl; try { pubUrl = packageMap['description']['url'] as String; + if(pubUrl != 'https://pub.dev') + pubUrl = null; } catch(e) { Log.exception(e, 'Package $packageName${isDev ? ' (dev)' : ''}, fetching description URL'); continue; @@ -149,7 +151,7 @@ class Pub extends PackageManager { var lockMeta = LockEntryMeta( version: version, - infoUrl: '$pubUrl/api/packages/$packageName' + infoUrl: pubUrl == null ? null : '$pubUrl/api/packages/$packageName' ); var entry = PubLockEntry( name: packageName,