From 5f24469ef5d21868e67075c77a4559db6d2a2dd8 Mon Sep 17 00:00:00 2001 From: X Date: Tue, 7 Sep 2021 22:47:01 +0800 Subject: [PATCH] Check scope/package name --- server/pkg.go | 20 +++++++++++++------- server/utils.go | 2 ++ 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/server/pkg.go b/server/pkg.go index fd6a6c4aa..5efe04471 100644 --- a/server/pkg.go +++ b/server/pkg.go @@ -2,6 +2,7 @@ package server import ( "errors" + "fmt" "strings" "github.com/ije/gox/utils" @@ -21,24 +22,29 @@ func parsePkg(pathname string) (*pkg, error) { scope := "" packageName := a[0] submodule := strings.Join(a[1:], "/") - if strings.HasPrefix(a[0], "@") && len(a) > 1 { - scope = a[0] + if strings.HasPrefix(packageName, "@") && len(a) > 1 { + scope = packageName[1:] packageName = a[1] submodule = strings.Join(a[2:], "/") } - if strings.HasSuffix(submodule, ".d.ts") { - return nil, errors.New("invalid path") + // ref https://github.com/npm/validate-npm-package-name + if scope != "" && (len(scope) > 214 || !npmNaming.Is(scope)) { + return nil, fmt.Errorf("invalid scope '%s'", scope) } name, version := utils.SplitByLastByte(packageName, '@') - if scope != "" { - name = scope + "/" + name + if name != "" && (len(name) > 214 || !npmNaming.Is(name)) { + return nil, fmt.Errorf("invalid package name '%s'", name) } - if name == "" { + + if strings.HasSuffix(submodule, ".d.ts") { return nil, errors.New("invalid path") } + if scope != "" { + name = fmt.Sprintf("@%s/%s", scope, name) + } if version == "" { version = "latest" } diff --git a/server/utils.go b/server/utils.go index ba94a3a3c..341763e33 100644 --- a/server/utils.go +++ b/server/utils.go @@ -9,11 +9,13 @@ import ( "sync" "github.com/ije/gox/utils" + "github.com/ije/gox/valid" ) var ( regFullVersion = regexp.MustCompile(`^\d+\.\d+\.\d+[a-zA-Z0-9\.\-]*$`) regBuildVersionPath = regexp.MustCompile(`^/v\d+/`) + npmNaming = valid.Validator{valid.FromTo{'a', 'z'}, valid.FromTo{'0', '9'}, valid.Eq('.'), valid.Eq('_'), valid.Eq('-')} ) // A Country record of mmdb.