1 files changed, 23 insertions, 8 deletions

diff --git a/src/module_wrap.cc b/src/module_wrap.cc
index 5b33ef261c..b3d0c306c9 100644
--- a/src/module_wrap.cc
+++ b/src/module_wrap.cc
@@ -867,20 +867,35 @@ Maybe<URL> PackageResolve(Environment* env,
                           const std::string& specifier,
                           const URL& base) {
   size_t sep_index = specifier.find('/');
-  if (specifier[0] == '@' && (sep_index == std::string::npos ||
-      specifier.length() == 0)) {
-    std::string msg = "Invalid package name '" + specifier +
-      "' imported from " + base.ToFilePath();
-    node::THROW_ERR_INVALID_MODULE_SPECIFIER(env, msg.c_str());
-    return Nothing<URL>();
-  }
+  bool valid_package_name = true;
   bool scope = false;
   if (specifier[0] == '@') {
     scope = true;
-    sep_index = specifier.find('/', sep_index + 1);
+    if (sep_index == std::string::npos || specifier.length() == 0) {
+      valid_package_name = false;
+    } else {
+      sep_index = specifier.find('/', sep_index + 1);
+    }
+  } else if (specifier[0] == '.') {
+    valid_package_name = false;
   }
   std::string pkg_name = specifier.substr(0,
       sep_index == std::string::npos ? std::string::npos : sep_index);
+  // Package name cannot have leading . and cannot have percent-encoding or
+  // separators.
+  for (size_t i = 0; i < pkg_name.length(); i++) {
+    char c = pkg_name[i];
+    if (c == '%' || c == '\\') {
+      valid_package_name = false;
+      break;
+    }
+  }
+  if (!valid_package_name) {
+    std::string msg = "Invalid package name '" + specifier +
+      "' imported from " + base.ToFilePath();
+    node::THROW_ERR_INVALID_MODULE_SPECIFIER(env, msg.c_str());
+    return Nothing<URL>();
+  }
   std::string pkg_subpath;
   if ((sep_index == std::string::npos ||
       sep_index == specifier.length() - 1)) {