fixes rlidwka#104 by properly resolving scoped package URIs

knksmith57 · Nov 30, 2014 · 7a32cf2 · 7a32cf2
1 parent ecc5e9b
commit 7a32cf2
Show file tree

Hide file tree

Showing 3 changed files with 37 additions and 0 deletions.
diff --git a/lib/index-api.js b/lib/index-api.js
@@ -10,13 +10,15 @@ var match         = Middleware.match
 var media         = Middleware.media
 var validate_name = Middleware.validate_name
 var validate_pkg  = Middleware.validate_package
+var validate_scope = Middleware.validate_scope
 
 module.exports = function(config, auth, storage) {
   var app = express.Router()
   var can = Middleware.allow(config)
 
   // validate all of these params as a package name
   // this might be too harsh, so ask if it causes trouble
+  app.param('scope',    validate_scope)
   app.param('package',  validate_pkg)
   app.param('filename', validate_name)
   app.param('tag',      validate_name)
@@ -78,6 +80,19 @@ module.exports = function(config, auth, storage) {
     stream.pipe(res)
   })
 
+  app.get('/:scope/:package/-/:scope/:filename', can('access'), function(req, res, next) {
+    var package = req.params.scope + '/' + req.params.package;
+    var stream = storage.get_tarball(package, req.params.filename)
+    stream.on('content-length', function(v) {
+      res.header('Content-Length', v)
+    })
+    stream.on('error', function(err) {
+      return res.report_error(err)
+    })
+    res.header('Content-Type', 'application/octet-stream')
+    stream.pipe(res)
+  })
+
   // searching packages
   app.get('/-/all/:anything?', function(req, res, next) {
     storage.search(req.param.startkey || 0, {req: req}, function(err, result) {

diff --git a/lib/middleware.js b/lib/middleware.js
@@ -35,6 +35,17 @@ module.exports.validate_package = function validate_package(req, res, next, valu
   }
 }
 
+module.exports.validate_scope = function validate_scope(req, res, next, value, name) {
+  if (value.charAt(0) === '-') {
+    // special case in couchdb usually
+    next('route')
+  } else if (utils.validate_scope(value)) {
+    next()
+  } else {
+    next( Error[403]('invalid ' + name) )
+  }
+}
+
 module.exports.media = function media(expect) {
   return function(req, res, next) {
     if (req.headers['content-type'] !== expect) {

diff --git a/lib/utils.js b/lib/utils.js
@@ -16,6 +16,17 @@ module.exports.validate_package = function(name) {
   }
 }
 
+module.exports.validate_scope = function(name) {
+  if (typeof(name) !== 'string') return false
+  name = name.toLowerCase()
+
+  if (!name.match(/^@[-a-zA-Z0-9_]+$/)) {
+    return false
+  } else {
+    return true
+  }
+}
+
 // from normalize-package-data/lib/fixer.js
 module.exports.validate_name = function(name) {
   if (typeof(name) !== 'string') return false