Throw error for invalid extension names (#9538)

2026-03-18 10:01:29 -07:00 · 2025-09-25 14:05:49 -04:00
parent defda3a97d
commit 2d76cdf2c6
3 changed files with 44 additions and 1 deletions
--- a/packages/cli/src/config/extension.test.ts
+++ b/packages/cli/src/config/extension.test.ts
@@ -462,6 +462,28 @@ describe('extension tests', () => {
      const loadedConfig = extensions[0].config;
      expect(loadedConfig.mcpServers?.['test-server'].trust).toBeUndefined();
    });
+
+    it('should throw an error for invalid extension names', () => {
+      const consoleSpy = vi
+        .spyOn(console, 'error')
+        .mockImplementation(() => {});
+      const badExtDir = createExtension({
+        extensionsDir: userExtensionsDir,
+        name: 'bad_name',
+        version: '1.0.0',
+      });
+
+      const extension = loadExtension({
+        extensionDir: badExtDir,
+        workspaceDir: tempWorkspaceDir,
+      });
+
+      expect(extension).toBeNull();
+      expect(consoleSpy).toHaveBeenCalledWith(
+        expect.stringContaining('Invalid extension name: "bad_name"'),
+      );
+      consoleSpy.mockRestore();
+    });
  });

  describe('annotateActiveExtensions', () => {
@@ -951,6 +973,18 @@ This extension will run the following MCP servers:

      expect(mockRequestConsent).not.toHaveBeenCalled();
    });
+
+    it('should throw an error for invalid extension names', async () => {
+      const sourceExtDir = createExtension({
+        extensionsDir: tempHomeDir,
+        name: 'bad_name',
+        version: '1.0.0',
+      });
+
+      await expect(
+        installExtension({ source: sourceExtDir, type: 'local' }),
+      ).rejects.toThrow('Invalid extension name: "bad_name"');
+    });
  });

  describe('uninstallExtension', () => {
--- a/packages/cli/src/config/extension.ts
+++ b/packages/cli/src/config/extension.ts
@@ -627,6 +627,14 @@ async function maybeRequestConsentOrFail(
  }
 }

+export function validateName(name: string) {
+  if (!/^[a-zA-Z0-9-]+$/.test(name)) {
+    throw new Error(
+      `Invalid extension name: "${name}". Only letters (a-z, A-Z), numbers (0-9), and dashes (-) are allowed.`,
+    );
+  }
+}
+
 export function loadExtensionConfig(
  context: LoadExtensionContext,
 ): ExtensionConfig {
@@ -648,6 +656,7 @@ export function loadExtensionConfig(
        `Invalid configuration in ${configFilePath}: missing ${!config.name ? '"name"' : '"version"'}`,
      );
    }
+    validateName(config.name);
    return config;
  } catch (e) {
    throw new Error(