Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix NPM packages name validation #26595

Merged
merged 7 commits into from
Aug 20, 2023

Conversation

TimberBro
Copy link
Contributor


As @silverwind suggested, I started from validate-npm-package-name, but found this solution too complicated.
Then I tried to fix existing regex myself, but thought, that exclude all restricted symbols is harder, than set only allowed symbols.
Then I search a bit more and found package-name-regex and regex from it works for all new test cases.

Let me know, if more information or help with this PR is needed.

@GiteaBot GiteaBot added the lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. label Aug 19, 2023
@pull-request-size pull-request-size bot added the size/S Denotes a PR that changes 10-29 lines, ignoring generated files. label Aug 19, 2023
@@ -34,7 +34,7 @@ var (
ErrInvalidIntegrity = util.NewInvalidArgumentErrorf("failed to validate integrity")
)

var nameMatch = regexp.MustCompile(`\A((@[^\s\/~'!\(\)\*]+?)[\/])?([^_.][^\s\/~'!\(\)\*]+)\z`)
var nameMatch = regexp.MustCompile(`^(@[a-z0-9-~][a-z0-9-._~]*/)?[a-z0-9-~][a-z0-9-._~]*$`)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

package name should not contain any of the following characters: ~)('!*

Suggested change
var nameMatch = regexp.MustCompile(`^(@[a-z0-9-~][a-z0-9-._~]*/)?[a-z0-9-~][a-z0-9-._~]*$`)
var nameMatch = regexp.MustCompile(`^(@[a-z0-9-][a-z0-9-._]*/)?[a-z0-9-][a-z0-9-._]*$`)

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks! Added test for that case and applied suggested solution.

test(t, "te)(st")
test(t, "te'st")
test(t, "te!st")
test(t, "te*st")
test(t, "invalid/scope")
test(t, "@invalid/_name")
test(t, "@invalid/.name")
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think we should also test for

package name cannot be the same as a node.js/io.js core module nor a reserved/blacklisted name. For example, the following names are invalid:
http
stream
node_modules
favicon.ico

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could keep a map of reserved names. Would be cleaner then extending the regex.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One doesn't exclude the other?
The test method does not test the regex directly, but the upload.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can we merge this PR without reserved names inspection feature?
Can I create separated issue for that, and I think, I'm able to implement it, but need some time to dive into codebase.

@GiteaBot GiteaBot added lgtm/need 1 This PR needs approval from one additional maintainer to be merged. and removed lgtm/need 2 This PR needs two approvals by maintainers to be considered for merging. labels Aug 19, 2023
@delvh delvh added type/bug topic/distribution This PR changes something about the packaging of Gitea labels Aug 19, 2023
@KN4CK3R KN4CK3R added topic/packages and removed topic/distribution This PR changes something about the packaging of Gitea labels Aug 20, 2023
@GiteaBot GiteaBot added lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. and removed lgtm/need 1 This PR needs approval from one additional maintainer to be merged. labels Aug 20, 2023
@silverwind
Copy link
Member

Can do more later.

@silverwind silverwind added backport/v1.20 This PR should be backported to Gitea 1.20 reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. labels Aug 20, 2023
@silverwind silverwind enabled auto-merge (squash) August 20, 2023 14:35
@silverwind silverwind merged commit 84d0551 into go-gitea:main Aug 20, 2023
23 checks passed
@GiteaBot GiteaBot added this to the 1.21.0 milestone Aug 20, 2023
GiteaBot pushed a commit to GiteaBot/gitea that referenced this pull request Aug 20, 2023
- Added new tests to cover corner cases
- Replace existing regex with new one
Closes go-gitea#26551 

---
As @silverwind suggested, I started from
[validate-npm-package-name](https://github.com/npm/validate-npm-package-name),
but found this solution too complicated.
Then I tried to fix existing regex myself, but thought, that exclude all
restricted symbols is harder, than set only allowed symbols.
Then I search a bit more and found
[package-name-regex](https://github.com/dword-design/package-name-regex)
and regex from it works for all new test cases.

Let me know, if more information or help with this PR is needed.
@GiteaBot GiteaBot added backport/done All backports for this PR have been created and removed reviewed/wait-merge This pull request is part of the merge queue. It will be merged soon. labels Aug 20, 2023
@silverwind silverwind removed backport/v1.20 This PR should be backported to Gitea 1.20 backport/done All backports for this PR have been created labels Aug 20, 2023
zjjhot added a commit to zjjhot/gitea that referenced this pull request Aug 22, 2023
* giteaofficial/main: (21 commits)
  Update minimum password length requirements (go-gitea#25946)
  cynkra is covered via oc links now (go-gitea#26641)
  update config docs url (go-gitea#26640)
  devpod use go1.21 (go-gitea#26637)
  Use correct minio error (go-gitea#26634)
  Remove avatarHTML from template helpers (go-gitea#26598)
  Add optimistic lock to ActionRun table (go-gitea#26563)
  Improve the branch selector tab UI (go-gitea#26631)
  Improve translation of milestone filters (go-gitea#26569)
  Add `branch_filter` to hooks API endpoints (go-gitea#26599)
  Replace box-shadow for `floating` dropdown as well (go-gitea#26581)
  Add link to job details and tooltip to commit status in repo list in dashboard (go-gitea#26326)
  Ignore the trailing slashes when comparing oauth2 redirect_uri (go-gitea#26597)
  Update tool dependencies (go-gitea#26607)
  bump go to 1.21 (go-gitea#26608)
  Update 1.20.3 changelog (go-gitea#26609)
  Fix NPM packages name validation (go-gitea#26595)
  Use "input" event instead of "keyup" event for migration form (go-gitea#26602)
  Do not use deprecated log config options by default (go-gitea#26592)
  fix reopen logic for agit flow pull request (go-gitea#26399)
  ...
@go-gitea go-gitea locked as resolved and limited conversation to collaborators Nov 19, 2023
@TimberBro TimberBro deleted the timberbro-npm-patch-1 branch March 26, 2024 19:59
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
lgtm/done This PR has enough approvals to get merged. There are no important open reservations anymore. size/S Denotes a PR that changes 10-29 lines, ignoring generated files. topic/packages type/bug
Projects
None yet
Development

Successfully merging this pull request may close these issues.

NPM Package Registry returns HTTP400 for packages with single-character names
5 participants