Fix NPM packages name validation #26595
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GiteaBot
added
the
lgtm/need 2
pull-request-size
bot
added
the
size/S
delvh
reviewed
Aug 19, 2023
modules/packages/npm/creator.go
Outdated
| @@ -34,7 +34,7 @@ var ( | |||
| ErrInvalidIntegrity = util.NewInvalidArgumentErrorf("failed to validate integrity") | |||
| ) | |||
|
|
|||
| var nameMatch = regexp.MustCompile(`\A((@[^\s\/~'!\(\)\*]+?)[\/])?([^_.][^\s\/~'!\(\)\*]+)\z`) | |||
| var nameMatch = regexp.MustCompile(`^(@[a-z0-9-~][a-z0-9-._~]*/)?[a-z0-9-~][a-z0-9-._~]*$`) | |||
There was a problem hiding this comment.
package name should not contain any of the following characters:
~)('!*
Suggested change
| var nameMatch = regexp.MustCompile(`^(@[a-z0-9-~][a-z0-9-._~]*/)?[a-z0-9-~][a-z0-9-._~]*$`) | |
| var nameMatch = regexp.MustCompile(`^(@[a-z0-9-][a-z0-9-._]*/)?[a-z0-9-][a-z0-9-._]*$`) |
There was a problem hiding this comment.
Thanks! Added test for that case and applied suggested solution.
| test(t, "te)(st") | ||
| test(t, "te'st") | ||
| test(t, "te!st") | ||
| test(t, "te*st") | ||
| test(t, "invalid/scope") | ||
| test(t, "@invalid/_name") | ||
| test(t, "@invalid/.name") |
There was a problem hiding this comment.
I think we should also test for
package name cannot be the same as a node.js/io.js core module nor a reserved/blacklisted name. For example, the following names are invalid:
http
stream
node_modules
favicon.ico
There was a problem hiding this comment.
Could keep a map of reserved names. Would be cleaner then extending the regex.
There was a problem hiding this comment.
One doesn't exclude the other?
The test method does not test the regex directly, but the upload.
There was a problem hiding this comment.
Can we merge this PR without reserved names inspection feature?
Can I create separated issue for that, and I think, I'm able to implement it, but need some time to dive into codebase.
delvh
approved these changes
Aug 19, 2023
GiteaBot
added
lgtm/need 1
delvh
added
type/bug
topic/distribution
KN4CK3R
added
topic/packages
and removed
topic/distribution
silverwind
approved these changes
Aug 20, 2023
GiteaBot
added
lgtm/done
|
Can do more later. |
silverwind
added
backport/v1.20
GiteaBot
pushed a commit
to GiteaBot/gitea
that referenced
this pull request
Aug 20, 2023
- Added new tests to cover corner cases - Replace existing regex with new one Closes go-gitea#26551 --- As @silverwind suggested, I started from [validate-npm-package-name](https://github.com/npm/validate-npm-package-name), but found this solution too complicated. Then I tried to fix existing regex myself, but thought, that exclude all restricted symbols is harder, than set only allowed symbols. Then I search a bit more and found [package-name-regex](https://github.com/dword-design/package-name-regex) and regex from it works for all new test cases. Let me know, if more information or help with this PR is needed.
GiteaBot
added
backport/done
silverwind
removed
backport/v1.20
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Aug 22, 2023
* giteaofficial/main: (21 commits) Update minimum password length requirements (go-gitea#25946) cynkra is covered via oc links now (go-gitea#26641) update config docs url (go-gitea#26640) devpod use go1.21 (go-gitea#26637) Use correct minio error (go-gitea#26634) Remove avatarHTML from template helpers (go-gitea#26598) Add optimistic lock to ActionRun table (go-gitea#26563) Improve the branch selector tab UI (go-gitea#26631) Improve translation of milestone filters (go-gitea#26569) Add `branch_filter` to hooks API endpoints (go-gitea#26599) Replace box-shadow for `floating` dropdown as well (go-gitea#26581) Add link to job details and tooltip to commit status in repo list in dashboard (go-gitea#26326) Ignore the trailing slashes when comparing oauth2 redirect_uri (go-gitea#26597) Update tool dependencies (go-gitea#26607) bump go to 1.21 (go-gitea#26608) Update 1.20.3 changelog (go-gitea#26609) Fix NPM packages name validation (go-gitea#26595) Use "input" event instead of "keyup" event for migration form (go-gitea#26602) Do not use deprecated log config options by default (go-gitea#26592) fix reopen logic for agit flow pull request (go-gitea#26399) ...
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Closes NPM Package Registry returns HTTP400 for packages with single-character names #26551
As @silverwind suggested, I started from validate-npm-package-name, but found this solution too complicated.
Then I tried to fix existing regex myself, but thought, that exclude all restricted symbols is harder, than set only allowed symbols.
Then I search a bit more and found package-name-regex and regex from it works for all new test cases.
Let me know, if more information or help with this PR is needed.