-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix NPM packages name validation #26595
Conversation
modules/packages/npm/creator.go
Outdated
@@ -34,7 +34,7 @@ var ( | |||
ErrInvalidIntegrity = util.NewInvalidArgumentErrorf("failed to validate integrity") | |||
) | |||
|
|||
var nameMatch = regexp.MustCompile(`\A((@[^\s\/~'!\(\)\*]+?)[\/])?([^_.][^\s\/~'!\(\)\*]+)\z`) | |||
var nameMatch = regexp.MustCompile(`^(@[a-z0-9-~][a-z0-9-._~]*/)?[a-z0-9-~][a-z0-9-._~]*$`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
package name should not contain any of the following characters:
~)('!*
var nameMatch = regexp.MustCompile(`^(@[a-z0-9-~][a-z0-9-._~]*/)?[a-z0-9-~][a-z0-9-._~]*$`) | |
var nameMatch = regexp.MustCompile(`^(@[a-z0-9-][a-z0-9-._]*/)?[a-z0-9-][a-z0-9-._]*$`) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! Added test for that case and applied suggested solution.
test(t, "te)(st") | ||
test(t, "te'st") | ||
test(t, "te!st") | ||
test(t, "te*st") | ||
test(t, "invalid/scope") | ||
test(t, "@invalid/_name") | ||
test(t, "@invalid/.name") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should also test for
package name cannot be the same as a node.js/io.js core module nor a reserved/blacklisted name. For example, the following names are invalid:
http
stream
node_modules
favicon.ico
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could keep a map of reserved names. Would be cleaner then extending the regex.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
One doesn't exclude the other?
The test method does not test the regex directly, but the upload.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we merge this PR without reserved names inspection feature?
Can I create separated issue for that, and I think, I'm able to implement it, but need some time to dive into codebase.
Can do more later. |
- Added new tests to cover corner cases - Replace existing regex with new one Closes go-gitea#26551 --- As @silverwind suggested, I started from [validate-npm-package-name](https://github.com/npm/validate-npm-package-name), but found this solution too complicated. Then I tried to fix existing regex myself, but thought, that exclude all restricted symbols is harder, than set only allowed symbols. Then I search a bit more and found [package-name-regex](https://github.com/dword-design/package-name-regex) and regex from it works for all new test cases. Let me know, if more information or help with this PR is needed.
* giteaofficial/main: (21 commits) Update minimum password length requirements (go-gitea#25946) cynkra is covered via oc links now (go-gitea#26641) update config docs url (go-gitea#26640) devpod use go1.21 (go-gitea#26637) Use correct minio error (go-gitea#26634) Remove avatarHTML from template helpers (go-gitea#26598) Add optimistic lock to ActionRun table (go-gitea#26563) Improve the branch selector tab UI (go-gitea#26631) Improve translation of milestone filters (go-gitea#26569) Add `branch_filter` to hooks API endpoints (go-gitea#26599) Replace box-shadow for `floating` dropdown as well (go-gitea#26581) Add link to job details and tooltip to commit status in repo list in dashboard (go-gitea#26326) Ignore the trailing slashes when comparing oauth2 redirect_uri (go-gitea#26597) Update tool dependencies (go-gitea#26607) bump go to 1.21 (go-gitea#26608) Update 1.20.3 changelog (go-gitea#26609) Fix NPM packages name validation (go-gitea#26595) Use "input" event instead of "keyup" event for migration form (go-gitea#26602) Do not use deprecated log config options by default (go-gitea#26592) fix reopen logic for agit flow pull request (go-gitea#26399) ...
Closes NPM Package Registry returns HTTP400 for packages with single-character names #26551
As @silverwind suggested, I started from validate-npm-package-name, but found this solution too complicated.
Then I tried to fix existing regex myself, but thought, that exclude all restricted symbols is harder, than set only allowed symbols.
Then I search a bit more and found package-name-regex and regex from it works for all new test cases.
Let me know, if more information or help with this PR is needed.