Add confirmation for 3rd party repos

Adds a confirmation similar to the one performed during plugin installation, when adding a 3rd party repository. The safe domain is hardcoded to be "repo.jellyfin.org" as this is very stable and we have no plans to change it. Individual mirrors don't need to be specified since this is user-input content and they should be using the main URL not the URL of a specific mirror. The confirmation message makes explicit mention of the possibility of malicious code from 3rd party repositories as well as updates that may bring it in, and suggests only adding 3rd parties from trusted people. The plugin install confirmation is also modified to use the same conditional and an altered message similar to the above, again to emphasize the potential security risks of 3rd party plugins. Finally, some additional information is added to the Developer Info section of the plugin page; specifically, the name of the repository the plugin is sourced from as well as its URL. How this is obtained is a hack, since these should probably be part of the main information about the plugin and not each specific version, but this is worked around by only showing the information from the first (i.e. newest) version.
2025-03-30 19:56:21 +00:00 · 2023-05-29 10:57:17 -04:00 · 2023-05-29 10:57:17 -04:00 · 509cbabedb
commit 509cbabedb
parent 62246fe0a9
4 changed files with 48 additions and 10 deletions
--- a/src/controllers/dashboard/plugins/add/index.js
+++ b/src/controllers/dashboard/plugins/add/index.js
@ -50,6 +50,8 @@ function renderPackage(pkg, installedPlugins, page) {
        return ip.Name == pkg.name;
    })[0];

+    console.log(pkg)
+
    populateVersions(pkg, page, installedPlugin);
    populateHistory(pkg, page);

@ -65,6 +67,11 @@ function renderPackage(pkg, installedPlugins, page) {

    $('#description', page).text(pkg.description);
    $('#developer', page).text(pkg.owner);
+    // This is a hack; the repository name and URL should be part of the global values
+    // for the plugin, not each individual version. So we just use the top (latest)
+    // version to get this information.
+    $('#repositoryName', page).text(pkg.versions[0].repositoryName);
+    $('#repositoryUrl', page).text(pkg.versions[0].repositoryUrl);

    if (installedPlugin) {
        const currentVersionText = globalize.translate('MessageYouHaveVersionInstalled', '<strong>' + installedPlugin.Version + '</strong>');
@ -82,6 +89,7 @@ function alertText(options) {

 function performInstallation(page, name, guid, version) {
    const developer = $('#developer', page).html().toLowerCase();
+    const repository_url = $('#repositoryUrl', page).html().toLowerCase();

    const alertCallback = function () {
        loading.show();
@ -94,7 +102,9 @@ function performInstallation(page, name, guid, version) {
        });
    };

-    if (developer !== 'jellyfin') {
+    // Check the repository URL for the official Jellyfin repository domain, or
+    // present the warning for 3rd party plugins.
+    if (!repository_url.startsWith("https://repo.jellyfin.org/")) {
        loading.hide();
        let msg = globalize.translate('MessagePluginInstallDisclaimer');
        msg += '<br/>';