From ca306e84c0cc742105738a3927235c9905f74f37 Mon Sep 17 00:00:00 2001
From: Marti Martz <Martii@users.noreply.github.com>
Date: Sat, 4 Nov 2017 22:46:24 -0600
Subject: [PATCH] Implement basic SPDX format `@license` check and reject
 (#1230)

* Checks if the SPDX is the first thing... if not... reject

Applies to #438

Auto-merge
---
 README.md                    |  6 ++++++
 controllers/scriptStorage.js | 13 +++++++++++--
 package.json                 |  1 +
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 2b2feb174..13e51faf9 100644
--- a/README.md
+++ b/README.md
@@ -82,6 +82,7 @@ Repository | Reference | Recent Version
 [select2-bootstrap-css][select2-bootstrap-cssGHUrl] | [Documentation][select2-bootstrap-cssDOCUrl] | [![NPM version][select2-bootstrap-cssNPMVersionImage]][select2-bootstrap-cssNPMUrl]
 [serve-favicon][serve-faviconGHUrl] | [Documentation][serve-faviconDOCUrl] | [![NPM version][serve-faviconNPMVersionImage]][serve-faviconNPMUrl]
 [spdx-is-osi][spdx-is-osiGHUrl] | [Documentation][spdx-is-osiDOCUrl] | [![NPM version][spdx-is-osiNPMVersionImage]][spdx-is-osiNPMUrl]
+[spdx-license-ids][spdx-license-idsGHUrl] | [Documentation][spdx-license-idsDOCUrl] | [![NPM version][spdx-license-idsNPMVersionImage]][spdx-license-idsNPMUrl]
 [toobusy-js][toobusy-jsGHUrl] <br />&#x22D4; [`harmony`][toobusy-jsGHUrlHarmonyUrl] | [Documentation][toobusy-jsDOCUrl] | [![NPM version][toobusy-jsNPMVersionImage]][toobusy-jsNPMUrl]
 [uglifyJS][uglifyJS2GHUrl] <br />&#x21B3; [`harmony`][uglifyJS2GHHarmonyUrl] | [Documentation][uglifyJS2DOCUrl] [&#x00b9;][uglifyJS2DOC1Url] | [![NPM version][uglifyJS2NPMVersionImage]][uglifyJS2NPMUrl] <br />&#x21B3; [![NPM Harmony version][uglifyJS2NPMHarmonyVersionImage]][uglifyJS2NPMHarmonyUrl]
 [underscore][underscoreGHUrl] | [Documentation][underscoreDOCUrl] | [![NPM version][underscoreNPMVersionImage]][underscoreNPMUrl]
@@ -452,6 +453,11 @@ Outdated dependencies list can also be achieved with `$ npm --depth 0 outdated`
 [spdx-is-osiNPMUrl]: https://www.npmjs.com/package/spdx-is-osi
 [spdx-is-osiNPMVersionImage]: https://img.shields.io/npm/v/spdx-is-osi.svg?style=flat
 
+[spdx-license-idsGHUrl]: https://github.com/shinnn/spdx-license-ids
+[spdx-license-idsDOCUrl]: https://github.com/shinnn/spdx-license-ids/blob/master/README.md
+[spdx-license-idsNPMUrl]: https://www.npmjs.com/package/spdx-license-ids
+[spdx-license-idsNPMVersionImage]: https://img.shields.io/npm/v/spdx-license-ids.svg?style=flat
+
 [toobusy-jsGHUrl]: https://github.com/STRML/node-toobusy
 [toobusy-jsGHUrlHarmonyUrl]: https://github.com/OpenUserJs/node-toobusy/tree/harmony
 [toobusy-jsDOCUrl]: https://github.com/STRML/node-toobusy/blob/master/README.md
diff --git a/controllers/scriptStorage.js b/controllers/scriptStorage.js
index 45a795e3b..fbf8979e1 100644
--- a/controllers/scriptStorage.js
+++ b/controllers/scriptStorage.js
@@ -25,6 +25,7 @@ var moment = require('moment');
 var Base62 = require('base62');
 var sanitizeHtml = require('sanitize-html');
 var SPDXOSI = require('spdx-osi');
+var SPDX = require('spdx-license-ids');
 
 var MongoClient = require('mongodb').MongoClient;
 var ExpressBrute = require('express-brute');
@@ -1162,6 +1163,7 @@ exports.storeScript = function (aUser, aMeta, aBuf, aCallback, aUpdate) {
   var i = null;
   var j = null;
   var hasOSI = null;
+  var countSPDX = null;
   var author = null;
   var collaborators = null;
   var installName = aUser.name + '/';
@@ -1300,6 +1302,7 @@ exports.storeScript = function (aUser, aMeta, aBuf, aCallback, aUpdate) {
 
     if (userscriptKeyset) {
       hasOSI = false;
+      countSPDX = 0;
 
       for (i = 0; userscriptKey = userscriptKeyset[i]; i++) {
         thisKeyComponents = userscriptKey.split('; ');
@@ -1326,10 +1329,16 @@ exports.storeScript = function (aUser, aMeta, aBuf, aCallback, aUpdate) {
             hasOSI = true && i === userscriptKeyset.length - 1; // NOTE: Must be the primary last key
           }
         }
+
+        for (j = 0; thisSPDX = SPDX[j++];) {
+          if (thisSPDX === thatSPDX) {
+            countSPDX++;
+          }
+        }
       }
 
-      if (!hasOSI) {
-        // No valid OSI licensing found... reject
+      if (!hasOSI || countSPDX !== userscriptKeyset.length) {
+        // No valid OSI primary or invalid licensing found... reject
         aCallback(null);
         return;
       }
diff --git a/package.json b/package.json
index 863428035..89e3fc662 100644
--- a/package.json
+++ b/package.json
@@ -63,6 +63,7 @@
     "select2-bootstrap-css": "1.4.6",
     "serve-favicon": "2.4.5",
     "spdx-is-osi": "0.1.2",
+    "spdx-license-ids": "2.0.1",
     "toobusy-js-harmony": "git://github.com/OpenUserJs/node-toobusy#harmony",
     "uglify-js": "3.1.6",
     "uglify-es": "3.1.6",