diff options
| author | Guy Bedford <guybedford@gmail.com> | 2019-08-05 02:24:54 -0400 |
|---|---|---|
| committer | Rich Trott <rtrott@gmail.com> | 2019-08-07 19:56:11 -0700 |
| commit | 0e03c449e35e4951e9e9c962ff279ec271e62010 (patch) | |
| tree | fad32758dfd0c92ed5c97cd53c404ce7443bb6a0 /src | |
| parent | 71c28a4d2bf0137e4b56788124343c8c00dc11d7 (diff) | |
| download | android-node-v8-0e03c449e35e4951e9e9c962ff279ec271e62010.tar.gz android-node-v8-0e03c449e35e4951e9e9c962ff279ec271e62010.tar.bz2 android-node-v8-0e03c449e35e4951e9e9c962ff279ec271e62010.zip | |
module: refine package name validation
PR-URL: https://github.com/nodejs/node/pull/28965
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Jan Krems <jan.krems@gmail.com>
Reviewed-By: Rich Trott <rtrott@gmail.com>
Diffstat (limited to 'src')
| -rw-r--r-- | src/module_wrap.cc | 31 |
1 files changed, 23 insertions, 8 deletions
diff --git a/src/module_wrap.cc b/src/module_wrap.cc index 5b33ef261c..b3d0c306c9 100644 --- a/src/module_wrap.cc +++ b/src/module_wrap.cc @@ -867,20 +867,35 @@ Maybe<URL> PackageResolve(Environment* env, const std::string& specifier, const URL& base) { size_t sep_index = specifier.find('/'); - if (specifier[0] == '@' && (sep_index == std::string::npos || - specifier.length() == 0)) { - std::string msg = "Invalid package name '" + specifier + - "' imported from " + base.ToFilePath(); - node::THROW_ERR_INVALID_MODULE_SPECIFIER(env, msg.c_str()); - return Nothing<URL>(); - } + bool valid_package_name = true; bool scope = false; if (specifier[0] == '@') { scope = true; - sep_index = specifier.find('/', sep_index + 1); + if (sep_index == std::string::npos || specifier.length() == 0) { + valid_package_name = false; + } else { + sep_index = specifier.find('/', sep_index + 1); + } + } else if (specifier[0] == '.') { + valid_package_name = false; } std::string pkg_name = specifier.substr(0, sep_index == std::string::npos ? std::string::npos : sep_index); + // Package name cannot have leading . and cannot have percent-encoding or + // separators. + for (size_t i = 0; i < pkg_name.length(); i++) { + char c = pkg_name[i]; + if (c == '%' || c == '\\') { + valid_package_name = false; + break; + } + } + if (!valid_package_name) { + std::string msg = "Invalid package name '" + specifier + + "' imported from " + base.ToFilePath(); + node::THROW_ERR_INVALID_MODULE_SPECIFIER(env, msg.c_str()); + return Nothing<URL>(); + } std::string pkg_subpath; if ((sep_index == std::string::npos || sep_index == specifier.length() - 1)) { |