Check scope/package name

server/pkg.go

@@ -2,6 +2,7 @@ package server
 
 import (
 	"errors"
+	"fmt"
 	"strings"
 
 	"github.com/ije/gox/utils"
@@ -21,24 +22,29 @@ func parsePkg(pathname string) (*pkg, error) {
 	scope := ""
 	packageName := a[0]
 	submodule := strings.Join(a[1:], "/")
-	if strings.HasPrefix(a[0], "@") && len(a) > 1 {
-		scope = a[0]
+	if strings.HasPrefix(packageName, "@") && len(a) > 1 {
+		scope = packageName[1:]
 		packageName = a[1]
 		submodule = strings.Join(a[2:], "/")
 	}
 
-	if strings.HasSuffix(submodule, ".d.ts") {
-		return nil, errors.New("invalid path")
+	// ref https://github.com/npm/validate-npm-package-name
+	if scope != "" && (len(scope) > 214 || !npmNaming.Is(scope)) {
+		return nil, fmt.Errorf("invalid scope '%s'", scope)
 	}
 
 	name, version := utils.SplitByLastByte(packageName, '@')
-	if scope != "" {
-		name = scope + "/" + name
+	if name != "" && (len(name) > 214 || !npmNaming.Is(name)) {
+		return nil, fmt.Errorf("invalid package name '%s'", name)
 	}
-	if name == "" {
+
+	if strings.HasSuffix(submodule, ".d.ts") {
 		return nil, errors.New("invalid path")
 	}
 
+	if scope != "" {
+		name = fmt.Sprintf("@%s/%s", scope, name)
+	}
 	if version == "" {
 		version = "latest"
 	}

server/utils.go

@@ -9,11 +9,13 @@ import (
 	"sync"
 
 	"github.com/ije/gox/utils"
+	"github.com/ije/gox/valid"
 )
 
 var (
 	regFullVersion      = regexp.MustCompile(`^\d+\.\d+\.\d+[a-zA-Z0-9\.\-]*$`)
 	regBuildVersionPath = regexp.MustCompile(`^/v\d+/`)
+	npmNaming           = valid.Validator{valid.FromTo{'a', 'z'}, valid.FromTo{'0', '9'}, valid.Eq('.'), valid.Eq('_'), valid.Eq('-')}
 )
 
 // A Country record of mmdb.