Skip to content

feat: Remove paths from plugin packages #7580

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Gared wants to merge 1 commit into
base: develop
Choose a base branch
from
+6 −1
Open

feat: Remove paths from plugin packages #7580

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion src/node/handler/PadMessageHandler.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1068,6 +1068,11 @@ const handleClientReady = async (socket:any, message: ClientReadyMessage) => {
throw new Error('corrupt pad');
}

let pluginsSanitized: any = plugins.plugins
Object.keys(plugins.plugins).forEach(function(element) {
const p: any = plugins.plugins[element].package
pluginsSanitized[element].package = {name: p.name, version: p.version};
});
Comment on lines +1071 to +1075
Copy link
Copy Markdown

@qodo-free-for-open-source-projects qodo-free-for-open-source-projects Bot Apr 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Action required

1. pluginssanitized mutates plugins.plugins 📘 Rule violation ☼ Reliability

The new sanitization logic assigns pluginsSanitized to plugins.plugins and then overwrites each
plugin's package, permanently removing fields like realPath/path from the shared plugin
registry. This creates a breaking behavior change because other server code expects
plugin.package.realPath to exist (e.g., to serve plugin static assets).
Agent Prompt 
## Issue description
`pluginsSanitized` is currently just a reference to `plugins.plugins`, so overwriting `pluginsSanitized[element].package` mutates the global plugin registry and removes `realPath`/`path`. This can break other server code paths that rely on `plugin.package.realPath`.

## Issue Context
The intent is to sanitize what is sent to the client, not to modify the server-side plugin definitions.

## Fix Focus Areas
- src/node/handler/PadMessageHandler.ts[1071-1075]

ⓘ Copy this prompt and use it to remediate the issue with your preferred AI generation tools

// Warning: never ever send sessionInfo.padId to the client. If the client is read only you
// would open a security hole 1 swedish mile wide...
const canEditPadSettings = settings.enablePadWideSettings &&
Expand Down Expand Up @@ -1116,7 +1121,7 @@ const handleClientReady = async (socket:any, message: ClientReadyMessage) => {
exportAvailable: exportAvailable(),
docxExport: settings.docxExport,
plugins: {
plugins: plugins.plugins,
plugins: pluginsSanitized,
parts: plugins.parts,
},
indentationOnNewLine: settings.indentationOnNewLine,
Expand Down
Loading