* Use file name whitelist to prevent RCE
Use a whitelist to validate user-provided file names. This doesn't cover
the entire range of valid filenames but should cover almost all of them
in practice. Allows letters, numbers, periods, dashes, and underscores.
Opting to use a whitelist instead of a blacklist because getting this
wrong leaves us vulnerable to a RCE attack.
* Allow alphabet characters from all languages
Updated the whitelist to /^[\p{L}0-9/.\-_]+$/u, which matches
alphanumeric characters, periods, dashes, and underscores. Unicode
property support is stage 4 so I've inlined the transpiled version.
* Only use file name whitelist on Windows
* Log error message if file name does not pass whitelist
awk splits lines based on spaces, which causes directory names with spaces to end up in other fields. Using a for loop allows us to print from the 9th field onwards instead of just the 9th field.
If create-react-app project is ejected and webpack configuration is
modified to multi build setup FileSizeReporter would fail.
In those situations `webpackStats` parameter would contain stats array
for each build. This fix will try to access stats and then falls back
to using plaing webpackStats object.
* Update the string that clears the console.
#1914
I've tested it with Windows 10 and 7, node versions from ~5.0.0 up to 7.7.0.
Didn't managed to test it on 8 but it should be fine.
* Update windows string
Add windows specific string for clearing the console.
* add support to set REACT_EDITOR to none
* change README message
* change condition to avoid problems with editor being null
* move condition to avoid extra code
* Fix path regex match bug
* Use the escape-string-regexp package to escape regex characters
* Remove redundant character escape from path
* Add removed escape of backslashes
* extra watch options regex to react-dev-utils
* fix regex
* add test
* fix eslint error
* include react-dev-utils test in CI script
* attempt to fix import error
* attempt to fix error on CI
* Update .eslintrc
* Bump dependencies
* Downgrade source-map back to 0.5.x
Not sure what changed there but our bundle snapshot doesn't match with minor changes.
I couldn't figure out how to update it, and also whether we need to tweak getPrettyURL in response.
* Implement click-to-open for babel syntax errors in build error overlay
* Add click-to-open support for lint errors and refactor parser
* Reactor code to reuse open-in-editor functionality in both build and runtime error overlays
* Fix some eslint warnings
* Add a comment about keeping middleware and dev client in sync
* Remove es6 features from webpack dev client
* Make open-in-editor functionality to work with new iframe script
* Rename `openInEditor` to `editorHandler`
- Remove indirection of openInEditorListener
- Check editorHandler for null before styling error clickable
* Fix flow errors
* Allow the dev server to watch for changes in src/node_modules
* fix eslint error
* fix broken regex
* handle trailing slash edge case for file paths
Closes#2760Fixes#3223
* Auto-detect running editor on Linux for error overlay
Basic support of auto detecting running editor for #2636.
Tested on Ubuntu 16.04.
It detects few editors. JetBrains products should start by
wrapper like /usr/local/bin/webstorm. Otherwise it takes a
lot of time to open editor.
* Comments fixed.
* List all processes owned by you
* Comment rewording
* Convert react-error-overlay to React
* Update compile-time error overlay to use react-error-overlay components
* Refactor react-error-overlay components to container and presentational components.
* Make the compile-time error overlay a part of react-error-overlay package.
* Use react-error-overlay as dependency in react-dev-utils to show compile-time errors.
* Run Prettier
* Move the function name fix into StackFrame itself
* Fix clicking on source code snippet to open the code in editor
* Use exact objects + minor style tweak
* Don't linkify frames that don't exist on the disk
* Fix lint
* Consolidate iframe rendering logic
* Remove circular dependency between react-dev-utils and react-error-overlay
* Fix lint
* Fix decoupling of react-dev-utils and react-error-overlay by moving middleware
* Deduplicate identical errors
* Allow importing package.json
* Remove package.json import from App.js template
* fix importing package.json
* Rename variable to reflect path is relative to root
* Check for both package & package.json in ModuleScopePlugin
* Use regex to check relative path to package.json
* Strictly enforce package.json extension on scope plugin
* Add allowedPaths to ModuleScopePlugin ctor and use it to allow app package.json
* Remove package.json import from App.js template
* Add package.json to react-scripts/template, show package version and name in the template
* Remove import package.json from template
* Remove template/package.json and its references in code
* Update ModuleScopePlugin.js
* Update README.md
* format UglifyJs error
* move formatBuildError to react-dev-utils
* fix readme
* use regex for plucking the path from stack
* make path human readable and fallback to show error if regex not matched
* rename to printBuildError and add link to the docs
* fix link indentation
* improve readibility + shorten link
* Remove note about webpackHotDevClient being webpack 1.0 only
It must work in webpack 2 since create-react-app is still using it and is using webpack 2 now.
It would be great if you could add some kind of note about how it differs from the default webpack hot reloaders.
* Update README.md
* Update README.md
