diff --git a/editors/vscode/.vscode-test.mjs b/editors/vscode/.vscode-test.mjs index b967c055ffd0c..0d2113a46c052 100644 --- a/editors/vscode/.vscode-test.mjs +++ b/editors/vscode/.vscode-test.mjs @@ -58,7 +58,6 @@ export default defineConfig({ ], env: { SINGLE_FOLDER_WORKSPACE: 'true', - OXLINT_LSP_TEST: 'true', SERVER_PATH_DEV: path.resolve(import.meta.dirname, `../../apps/oxlint/dist/cli.js`), SKIP_FORMATTER_TEST: 'true', }, diff --git a/editors/vscode/client/PathValidator.ts b/editors/vscode/client/PathValidator.ts index 6ed187fc1f106..d47e41c75787a 100644 --- a/editors/vscode/client/PathValidator.ts +++ b/editors/vscode/client/PathValidator.ts @@ -39,14 +39,5 @@ export function validateSafeBinaryPath(binary: string): boolean { } } - // Check if the filename contains `oxc_language_server` or `oxlint` - // Malicious projects might try to point to a different binary. - if ( - !binary.replaceAll('\\', '/').toLowerCase().split('/').pop()?.includes('oxc_language_server') && - !binary.replaceAll('\\', '/').toLowerCase().split('/').pop()?.includes('oxlint') - ) { - return false; - } - return true; } diff --git a/editors/vscode/client/linter.ts b/editors/vscode/client/linter.ts index ec256e4c6d32a..151bf0a226212 100644 --- a/editors/vscode/client/linter.ts +++ b/editors/vscode/client/linter.ts @@ -100,29 +100,29 @@ export async function activate( } const path = await findBinary(); - - const run: Executable = - process.env.OXLINT_LSP_TEST === 'true' - ? { - command: 'node', - args: [path!, '--lsp'], - options: { - env: serverEnv, - }, - } - : { - command: path!, - args: ['--lsp'], - options: { - // On Windows we need to run the binary in a shell to be able to execute the shell npm bin script. - // Searching for the right `.exe` file inside `node_modules/` is not reliable as it depends on - // the package manager used (npm, yarn, pnpm, etc) and the package version. - // The npm bin script is a shell script that points to the actual binary. - // Security: We validated the userDefinedBinary in `configService.getUserServerBinPath()`. - shell: process.platform === 'win32', - env: serverEnv, - }, - }; + const isNode = path.endsWith('.js') || path.endsWith('.cjs') || path.endsWith('.mjs'); + + const run: Executable = isNode + ? { + command: 'node', + args: [path!, '--lsp'], + options: { + env: serverEnv, + }, + } + : { + command: path!, + args: ['--lsp'], + options: { + // On Windows we need to run the binary in a shell to be able to execute the shell npm bin script. + // Searching for the right `.exe` file inside `node_modules/` is not reliable as it depends on + // the package manager used (npm, yarn, pnpm, etc) and the package version. + // The npm bin script is a shell script that points to the actual binary. + // Security: We validated the userDefinedBinary in `configService.getUserServerBinPath()`. + shell: process.platform === 'win32', + env: serverEnv, + }, + }; const serverOptions: ServerOptions = { run, diff --git a/editors/vscode/tests/PathValidator.spec.ts b/editors/vscode/tests/PathValidator.spec.ts index f541896f3110d..e2768fecc789b 100644 --- a/editors/vscode/tests/PathValidator.spec.ts +++ b/editors/vscode/tests/PathValidator.spec.ts @@ -37,14 +37,4 @@ suite('validateSafeBinaryPath', () => { strictEqual(validateSafeBinaryPath('oxc_language_server^&pause'), false); strictEqual(validateSafeBinaryPath('oxc_language_server & del /f *'), false); }); - - test('should reject paths not containing oxc_language_server', () => { - strictEqual(validateSafeBinaryPath('/usr/local/bin/malicious'), false); - strictEqual(validateSafeBinaryPath('fake_server'), false); - strictEqual(validateSafeBinaryPath(''), false); - strictEqual(validateSafeBinaryPath('oxc_language'), false); - strictEqual(validateSafeBinaryPath('language_server'), false); - strictEqual(validateSafeBinaryPath('/oxc_language_server/malicious'), false); - strictEqual(validateSafeBinaryPath('C:\\oxc_language_server\\evil.exe'), false); - }); });