🤖 Pick PR #63401 (Also check package name validity in...) into release-6.0 (#63407)

typescript-bot · jakebailey · web-flow · commit eeae9dd0f17a · 2026-04-15T13:44:44.000-07:00
Co-authored-by: Jake Bailey &lt;5341706+jakebailey@users.noreply.github.com&gt;
diff --git a/src/testRunner/unittests/tsserver/codeFix.ts b/src/testRunner/unittests/tsserver/codeFix.ts
@@ -56,4 +56,24 @@ describe("unittests:: tsserver:: codeFix::", () => {
         });
         baselineTsserverLogs("codeFix", "install package when serialized", session);
     });
+
+    it("install package rejects invalid package names", () => {
+        const { host, session } = setup();
+        // A client could craft an applyCodeActionCommand with arbitrary package names.
+        // The server must validate and reject names with invalid characters to prevent shell injection.
+        for (const packageName of ["; echo 'hello' #", "react'test", "a/b/c"]) {
+            session.executeCommandSeq<ts.server.protocol.ApplyCodeActionCommandRequest>({
+                command: ts.server.protocol.CommandTypes.ApplyCodeActionCommand,
+                arguments: {
+                    command: {
+                        type: "install package",
+                        file: "/home/src/projects/project/src/file.ts",
+                        packageName,
+                    },
+                },
+            });
+        }
+        host.runPendingInstalls();
+        baselineTsserverLogs("codeFix", "install package rejects invalid package names", session);
+    });
 });
diff --git a/src/typingsInstallerCore/typingsInstaller.ts b/src/typingsInstallerCore/typingsInstaller.ts
@@ -239,6 +239,22 @@ export abstract class TypingsInstaller {
     /** @internal */
     installPackage(req: InstallPackageRequest): void {
         const { fileName, packageName, projectName, projectRootPath, id } = req;
+        const validationResult = JsTyping.validatePackageName(packageName);
+        if (validationResult !== JsTyping.NameValidationResult.Ok) {
+            const message = JsTyping.renderPackageNameValidationFailure(validationResult, packageName);
+            if (this.log.isEnabled()) {
+                this.log.writeLine(message);
+            }
+            const response: PackageInstalledResponse = {
+                kind: ActionPackageInstalled,
+                projectName,
+                id,
+                success: false,
+                message,
+            };
+            this.sendResponse(response);
+            return;
+        }
         const cwd = forEachAncestorDirectory(getDirectoryPath(fileName), directory => {
             if (this.installTypingHost.fileExists(combinePaths(directory, "package.json"))) {
                 return directory;
diff --git a/tests/baselines/reference/tsserver/codeFix/install-package-rejects-invalid-package-names.js b/tests/baselines/reference/tsserver/codeFix/install-package-rejects-invalid-package-names.js
