diff options
Diffstat (limited to 'src')
-rw-r--r-- | src/module_wrap.cc | 31 |
1 files changed, 23 insertions, 8 deletions
diff --git a/src/module_wrap.cc b/src/module_wrap.cc index 5b33ef261c..b3d0c306c9 100644 --- a/src/module_wrap.cc +++ b/src/module_wrap.cc @@ -867,20 +867,35 @@ Maybe<URL> PackageResolve(Environment* env, const std::string& specifier, const URL& base) { size_t sep_index = specifier.find('/'); - if (specifier[0] == '@' && (sep_index == std::string::npos || - specifier.length() == 0)) { - std::string msg = "Invalid package name '" + specifier + - "' imported from " + base.ToFilePath(); - node::THROW_ERR_INVALID_MODULE_SPECIFIER(env, msg.c_str()); - return Nothing<URL>(); - } + bool valid_package_name = true; bool scope = false; if (specifier[0] == '@') { scope = true; - sep_index = specifier.find('/', sep_index + 1); + if (sep_index == std::string::npos || specifier.length() == 0) { + valid_package_name = false; + } else { + sep_index = specifier.find('/', sep_index + 1); + } + } else if (specifier[0] == '.') { + valid_package_name = false; } std::string pkg_name = specifier.substr(0, sep_index == std::string::npos ? std::string::npos : sep_index); + // Package name cannot have leading . and cannot have percent-encoding or + // separators. + for (size_t i = 0; i < pkg_name.length(); i++) { + char c = pkg_name[i]; + if (c == '%' || c == '\\') { + valid_package_name = false; + break; + } + } + if (!valid_package_name) { + std::string msg = "Invalid package name '" + specifier + + "' imported from " + base.ToFilePath(); + node::THROW_ERR_INVALID_MODULE_SPECIFIER(env, msg.c_str()); + return Nothing<URL>(); + } std::string pkg_subpath; if ((sep_index == std::string::npos || sep_index == specifier.length() - 1)) { |