Move package name validation into parsePackageURL

server/utils/__tests__/parsePackageURL-test.js

@@ -80,5 +80,6 @@ describe('parsePackageURL', () => {
 
   it('returns null for invalid pathnames', () => {
     expect(parsePackageURL('history')).toBe(null)
+    expect(parsePackageURL('/.invalid')).toBe(null)
   })
 })

server/utils/parsePackageURL.js

@@ -1,4 +1,5 @@
 const url = require('url')
+const validatePackageName = require('./validatePackageName')
 
 const URLFormat = /^\/((?:@[^\/@]+\/)?[^\/@]+)(?:@([^\/]+))?(\/.*)?$/
 
@@ -19,9 +20,14 @@ function parsePackageURL(packageURL) {
 
   const match = URLFormat.exec(pathname)
 
+  // Disallow invalid URL formats.
   if (match == null) return null
 
   const packageName = match[1]
+
+  // Disallow invalid npm package names.
+  if (!validatePackageName(packageName)) return null
+
   const packageVersion = decodeParam(match[2]) || 'latest'
   const filename = decodeParam(match[3])
 

server/utils/validatePackageName.js

@@ -0,0 +1,7 @@
+const validateNpmPackageName = require('validate-npm-package-name')
+
+function validatePackageName(packageName) {
+  return validateNpmPackageName(packageName).errors == null
+}
+
+module.exports = validatePackageName