espressif/esp-idf
1
0
Fork 0
mirror of https://github.com/espressif/esp-idf.git synced 2026-04-27 11:03:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

Merge branch 'feat/extenral_components_from_valid_sources' into 'master'

Browse Source 
feat(tools): Restrict loading extension components to trusted sources

Closes DOC-13994

See merge request espressif/esp-idf!46089
This commit is contained in:
Marek Fiala
2026-04-16 15:54:38 +08:00
parent bb7fb3e35b 0092037019
commit ca08f28d22
4 changed files with 122 additions and 9 deletions
Download Patch File Download Diff File Expand all files Collapse all files
docs/en/api-guides/tools/idf-py.rst
+10
View File
@@ -501,6 +501,16 @@ Extending ``idf.py``
- **From components participating in the build**: Place a file named ``idf_ext.py`` in the project root or in a component's root directory that is registered in the project's ``CMakeLists.txt``. Component extensions are discovered after the project is configured - run ``idf.py build`` or ``idf.py reconfigure`` to make newly added commands available.
- **From Python entry points**: Any installed Python package may contribute extensions by defining an entry point in the ``idf_extension`` group. Package installation is sufficient, no project build is required.
For security reasons, component extensions are loaded from trusted sources only:
- ESP-IDF built-in components (under ``IDF_PATH/components``).
- Project components (the project's own ``components/`` directory).
- User-defined components from directories listed in ``EXTRA_COMPONENT_DIRS`` in the project's top-level ``CMakeLists.txt``.
- Espressif components from the ESP Component Registry (``https://components.espressif.com/``). Only the ``espressif/`` namespace is trusted, not all registry components.
- IDF-managed components downloaded to the ``IDF_TOOLS_PATH/root_managed_components/`` directory. Only the ``espressif/`` namespace is trusted.
Extensions from other sources (e.g., components resolved via ``git``, local ``path``, or ``override_path``) are skipped with a warning. To load extensions from all components, set ``IDF_EXTENSION_ALLOW_UNTRUSTED=1``.
.. important::
Extensions must not define subcommands or options that have the same names as the core ``idf.py`` commands. Custom actions and options are checked for name collisions, overriding defaults is not possible and a warning is printed. For Python entry points, use unique identifiers as duplicate entry point names will be ignored with a warning.
docs/zh_CN/api-guides/tools/idf-py.rst
+10
View File
@@ -501,6 +501,16 @@ ESP-IDF 支持 `CMake presets`_ 以简化多个构建配置的管理。此功能
- **参与构建的组件**:在项目根目录,或注册在项目 ``CMakeLists.txt`` 中的组件根目录,放置名为 ``idf_ext.py`` 的文件,该文件会在项目配置完成后得到识别。运行 ``idf.py build````idf.py reconfigure``,新添加的命令即可生效。
- **Python 入口点**:对于任何已安装的 Python 包,在 ``idf_extension`` 组中定义入口点后,就可以提供扩展功能。只要安装了 Python 包就可以使用扩展功能,无需重新构建项目。
出于安全考虑,组件扩展仅从可信来源加载:
- ESP-IDF 内置组件(位于 ``IDF_PATH/components`` 下)。
- 项目组件(项目自身的 ``components/`` 目录)。
- 在项目顶层 ``CMakeLists.txt`` 中,由 ``EXTRA_COMPONENT_DIRS`` 所列目录中的用户自定义组件。
- 乐鑫组件注册表 (``https://components.espressif.com/``) 中的乐鑫组件,仅 ``espressif/`` 命名空间受信任。
- 下载到 ``IDF_TOOLS_PATH/root_managed_components/`` 目录下的 IDF 托管组件。仅 ``espressif/`` 命名空间受信任。
其他来源的扩展(例如通过 ``git``、本地 ``path````override_path`` 解析的组件)会被跳过,并给出警告。若要加载所有组件中的扩展,请设置 ``IDF_EXTENSION_ALLOW_UNTRUSTED=1``
.. important::
扩展不能定义与 ``idf.py`` 命令同名的子命令或选项。系统会检查自定义的动作和选项名称是否存在冲突,不允许覆盖默认命令,如有冲突会打印警告。对于 Python 入口点,必须使用唯一标识符,否则会忽略重复的入口点名称并发出警告。