From 9d154620062f1c4e3841cf3004e9834e806cbb8f Mon Sep 17 00:00:00 2001 From: MICHAEL JACKSON Date: Tue, 15 Aug 2017 11:56:08 -0700 Subject: [PATCH] Validate NPM package names in URLs --- package.json | 3 ++- server/middleware/parseURL.js | 9 ++++++++- yarn.lock | 38 ++++++++++++++--------------------- 3 files changed, 25 insertions(+), 25 deletions(-) diff --git a/package.json b/package.json index 88a828a..77ba5e4 100644 --- a/package.json +++ b/package.json @@ -33,7 +33,8 @@ "redis": "^2.7.1", "semver": "^5.3.0", "tar-fs": "^1.15.2", - "throng": "^4.0.0" + "throng": "^4.0.0", + "validate-npm-package-name": "^3.0.0" }, "devDependencies": { "autoprefixer": "6.7.2", diff --git a/server/middleware/parseURL.js b/server/middleware/parseURL.js index a5d054e..b5b56ad 100644 --- a/server/middleware/parseURL.js +++ b/server/middleware/parseURL.js @@ -1,3 +1,4 @@ +const validateNPMPackageName = require('validate-npm-package-name') const PackageURL = require('../PackageURL') const ValidQueryKeys = { @@ -21,10 +22,16 @@ function parseURL(req, res, next) { if (url == null) return res.status(403).type('text').send(`Invalid URL: ${req.url}`) + const nameErrors = validateNPMPackageName(url.packageName).errors + + // Do not allow invalid package names. + if (nameErrors) + return res.status(403).type('text').send(`Invalid package name: ${url.packageName} (${nameErrors.join(', ')})`) + // Do not allow unrecognized query parameters because // some people use them to bust the cache. if (!queryIsValid(url.query)) - return res.status(403).type('text').send(`Invalid query: ${JSON.stringify(url.query)}`) + return res.status(403).type('text').send(`Invalid query: ${url.search}`) req.packageName = url.packageName req.packageVersion = url.packageVersion diff --git a/yarn.lock b/yarn.lock index adda351..538de35 100644 --- a/yarn.lock +++ b/yarn.lock @@ -1007,6 +1007,10 @@ builtin-status-codes@^3.0.0: version "3.0.0" resolved "https://registry.yarnpkg.com/builtin-status-codes/-/builtin-status-codes-3.0.0.tgz#85982878e21b98e1c66425e03d0174788f569ee8" +builtins@^1.0.3: + version "1.0.3" + resolved "https://registry.yarnpkg.com/builtins/-/builtins-1.0.3.tgz#cb94faeb61c8696451db36534e1422f94f0aee88" + byte-length@^0.1.1: version "0.1.1" resolved "https://registry.yarnpkg.com/byte-length/-/byte-length-0.1.1.tgz#e9b4774dbce7c59764bf5be87c302789a88738c3" @@ -3177,7 +3181,7 @@ json-stable-stringify@^1.0.0, json-stable-stringify@^1.0.1: dependencies: jsonify "~0.0.0" -json-stringify-safe@5.0.1, json-stringify-safe@^5.0.1, json-stringify-safe@~5.0.1: +json-stringify-safe@^5.0.1, json-stringify-safe@~5.0.1: version "5.0.1" resolved "https://registry.yarnpkg.com/json-stringify-safe/-/json-stringify-safe-5.0.1.tgz#1296a2d58fd45f19a0f6ce01d65701e2c735b6eb" @@ -3390,10 +3394,6 @@ lru-cache@^4.0.1: pseudomap "^1.0.1" yallist "^2.0.0" -lsmod@1.0.0: - version "1.0.0" - resolved "https://registry.yarnpkg.com/lsmod/-/lsmod-1.0.0.tgz#9a00f76dca36eb23fa05350afe1b585d4299e64b" - macaddress@^0.2.8: version "0.2.8" resolved "https://registry.yarnpkg.com/macaddress/-/macaddress-0.2.8.tgz#5904dc537c39ec6dbefeae902327135fa8511f12" @@ -4364,16 +4364,6 @@ range-parser@^1.0.3, range-parser@~1.2.0: version "1.2.0" resolved "https://registry.yarnpkg.com/range-parser/-/range-parser-1.2.0.tgz#f49be6b487894ddc40dcc94a322f611092e00d5e" -raven@^1.2.1: - version "1.2.1" - resolved "https://registry.yarnpkg.com/raven/-/raven-1.2.1.tgz#949c134db028a190b7bbf8f790aae541b7c020bd" - dependencies: - cookie "0.3.1" - json-stringify-safe "5.0.1" - lsmod "1.0.0" - stack-trace "0.0.9" - uuid "3.0.0" - rc@^1.1.7: version "1.2.1" resolved "https://registry.yarnpkg.com/rc/-/rc-1.2.1.tgz#2e03e8e42ee450b8cb3dce65be1bf8974e1dfd95" @@ -4954,10 +4944,6 @@ sshpk@^1.7.0: jsbn "~0.1.0" tweetnacl "~0.14.0" -stack-trace@0.0.9: - version "0.0.9" - resolved "https://registry.yarnpkg.com/stack-trace/-/stack-trace-0.0.9.tgz#a8f6eaeca90674c333e7c43953f275b451510695" - "statuses@>= 1.3.1 < 2", statuses@~1.3.1: version "1.3.1" resolved "https://registry.yarnpkg.com/statuses/-/statuses-1.3.1.tgz#faf51b9eb74aaef3b3acf4ad5f61abf24cb7b93e" @@ -5342,14 +5328,14 @@ utils-merge@1.0.0: version "1.0.0" resolved "https://registry.yarnpkg.com/utils-merge/-/utils-merge-1.0.0.tgz#0294fb922bb9375153541c4f7096231f287c8af8" -uuid@3.0.0, uuid@^3.0.0: - version "3.0.0" - resolved "https://registry.yarnpkg.com/uuid/-/uuid-3.0.0.tgz#6728fc0459c450d796a99c31837569bdf672d728" - uuid@^2.0.2: version "2.0.3" resolved "https://registry.yarnpkg.com/uuid/-/uuid-2.0.3.tgz#67e2e863797215530dff318e5bf9dcebfd47b21a" +uuid@^3.0.0: + version "3.0.0" + resolved "https://registry.yarnpkg.com/uuid/-/uuid-3.0.0.tgz#6728fc0459c450d796a99c31837569bdf672d728" + validate-npm-package-license@^3.0.1: version "3.0.1" resolved "https://registry.yarnpkg.com/validate-npm-package-license/-/validate-npm-package-license-3.0.1.tgz#2804babe712ad3379459acfbe24746ab2c303fbc" @@ -5357,6 +5343,12 @@ validate-npm-package-license@^3.0.1: spdx-correct "~1.0.0" spdx-expression-parse "~1.0.0" +validate-npm-package-name@^3.0.0: + version "3.0.0" + resolved "https://registry.yarnpkg.com/validate-npm-package-name/-/validate-npm-package-name-3.0.0.tgz#5fa912d81eb7d0c74afc140de7317f0ca7df437e" + dependencies: + builtins "^1.0.3" + value-equal@^0.2.0: version "0.2.1" resolved "https://registry.yarnpkg.com/value-equal/-/value-equal-0.2.1.tgz#c220a304361fce6994dbbedaa3c7e1a1b895871d"