bbbf9a4b93
Fix #21303 npm package.json supports binary packaging: https://docs.npmjs.com/cli/v8/configuring-npm/package-json#bin the npm registry documents that the binary references will be attached to the abbreviated version object: https://github.com/npm/registry/blob/master/docs/responses/package-metadata.md#abbreviated-version-object unfortunately their api documentation leaves this out: https://github.com/npm/registry/blob/master/docs/responses/package-metadata.md#abbreviated-version-objectdoc which is likely to be the reason this was left out in gitea's initial implementation this response is critical for npm to install the binary in the `.bin` folder so as to be included on the users default bin path, resulting in immediate access to any binaries provided by the package
288 lines
9.2 KiB
Go
288 lines
9.2 KiB
Go
// Copyright 2021 The Gitea Authors. All rights reserved.
|
|
// Use of this source code is governed by a MIT-style
|
|
// license that can be found in the LICENSE file.
|
|
|
|
package npm
|
|
|
|
import (
|
|
"bytes"
|
|
"crypto/sha1"
|
|
"crypto/sha512"
|
|
"encoding/base64"
|
|
"errors"
|
|
"fmt"
|
|
"io"
|
|
"regexp"
|
|
"strings"
|
|
"time"
|
|
|
|
"code.gitea.io/gitea/modules/json"
|
|
"code.gitea.io/gitea/modules/validation"
|
|
|
|
"github.com/hashicorp/go-version"
|
|
)
|
|
|
|
var (
|
|
// ErrInvalidPackage indicates an invalid package
|
|
ErrInvalidPackage = errors.New("The package is invalid")
|
|
// ErrInvalidPackageName indicates an invalid name
|
|
ErrInvalidPackageName = errors.New("The package name is invalid")
|
|
// ErrInvalidPackageVersion indicates an invalid version
|
|
ErrInvalidPackageVersion = errors.New("The package version is invalid")
|
|
// ErrInvalidAttachment indicates a invalid attachment
|
|
ErrInvalidAttachment = errors.New("The package attachment is invalid")
|
|
// ErrInvalidIntegrity indicates an integrity validation error
|
|
ErrInvalidIntegrity = errors.New("Failed to validate integrity")
|
|
)
|
|
|
|
var nameMatch = regexp.MustCompile(`\A((@[^\s\/~'!\(\)\*]+?)[\/])?([^_.][^\s\/~'!\(\)\*]+)\z`)
|
|
|
|
// Package represents a npm package
|
|
type Package struct {
|
|
Name string
|
|
Version string
|
|
DistTags []string
|
|
Metadata Metadata
|
|
Filename string
|
|
Data []byte
|
|
}
|
|
|
|
// PackageMetadata https://github.com/npm/registry/blob/master/docs/REGISTRY-API.md#package
|
|
type PackageMetadata struct {
|
|
ID string `json:"_id"`
|
|
Name string `json:"name"`
|
|
Description string `json:"description"`
|
|
DistTags map[string]string `json:"dist-tags,omitempty"`
|
|
Versions map[string]*PackageMetadataVersion `json:"versions"`
|
|
Readme string `json:"readme,omitempty"`
|
|
Maintainers []User `json:"maintainers,omitempty"`
|
|
Time map[string]time.Time `json:"time,omitempty"`
|
|
Homepage string `json:"homepage,omitempty"`
|
|
Keywords []string `json:"keywords,omitempty"`
|
|
Repository Repository `json:"repository,omitempty"`
|
|
Author User `json:"author"`
|
|
ReadmeFilename string `json:"readmeFilename,omitempty"`
|
|
Users map[string]bool `json:"users,omitempty"`
|
|
License string `json:"license,omitempty"`
|
|
}
|
|
|
|
// PackageMetadataVersion documentation: https://github.com/npm/registry/blob/master/docs/REGISTRY-API.md#version
|
|
// PackageMetadataVersion response: https://github.com/npm/registry/blob/master/docs/responses/package-metadata.md#abbreviated-version-object
|
|
type PackageMetadataVersion struct {
|
|
ID string `json:"_id"`
|
|
Name string `json:"name"`
|
|
Version string `json:"version"`
|
|
Description string `json:"description"`
|
|
Author User `json:"author"`
|
|
Homepage string `json:"homepage,omitempty"`
|
|
License string `json:"license,omitempty"`
|
|
Repository Repository `json:"repository,omitempty"`
|
|
Keywords []string `json:"keywords,omitempty"`
|
|
Dependencies map[string]string `json:"dependencies,omitempty"`
|
|
DevDependencies map[string]string `json:"devDependencies,omitempty"`
|
|
PeerDependencies map[string]string `json:"peerDependencies,omitempty"`
|
|
Bin map[string]string `json:"bin,omitempty"`
|
|
OptionalDependencies map[string]string `json:"optionalDependencies,omitempty"`
|
|
Readme string `json:"readme,omitempty"`
|
|
Dist PackageDistribution `json:"dist"`
|
|
Maintainers []User `json:"maintainers,omitempty"`
|
|
}
|
|
|
|
// PackageDistribution https://github.com/npm/registry/blob/master/docs/REGISTRY-API.md#version
|
|
type PackageDistribution struct {
|
|
Integrity string `json:"integrity"`
|
|
Shasum string `json:"shasum"`
|
|
Tarball string `json:"tarball"`
|
|
FileCount int `json:"fileCount,omitempty"`
|
|
UnpackedSize int `json:"unpackedSize,omitempty"`
|
|
NpmSignature string `json:"npm-signature,omitempty"`
|
|
}
|
|
|
|
type PackageSearch struct {
|
|
Objects []*PackageSearchObject `json:"objects"`
|
|
Total int64 `json:"total"`
|
|
}
|
|
|
|
type PackageSearchObject struct {
|
|
Package *PackageSearchPackage `json:"package"`
|
|
}
|
|
|
|
type PackageSearchPackage struct {
|
|
Scope string `json:"scope"`
|
|
Name string `json:"name"`
|
|
Version string `json:"version"`
|
|
Date time.Time `json:"date"`
|
|
Description string `json:"description"`
|
|
Author User `json:"author"`
|
|
Publisher User `json:"publisher"`
|
|
Maintainers []User `json:"maintainers"`
|
|
Keywords []string `json:"keywords,omitempty"`
|
|
Links *PackageSearchPackageLinks `json:"links"`
|
|
}
|
|
|
|
type PackageSearchPackageLinks struct {
|
|
Registry string `json:"npm"`
|
|
Homepage string `json:"homepage,omitempty"`
|
|
Repository string `json:"repository,omitempty"`
|
|
}
|
|
|
|
// User https://github.com/npm/registry/blob/master/docs/REGISTRY-API.md#package
|
|
type User struct {
|
|
Username string `json:"username,omitempty"`
|
|
Name string `json:"name"`
|
|
Email string `json:"email,omitempty"`
|
|
URL string `json:"url,omitempty"`
|
|
}
|
|
|
|
// UnmarshalJSON is needed because User objects can be strings or objects
|
|
func (u *User) UnmarshalJSON(data []byte) error {
|
|
switch data[0] {
|
|
case '"':
|
|
if err := json.Unmarshal(data, &u.Name); err != nil {
|
|
return err
|
|
}
|
|
case '{':
|
|
var tmp struct {
|
|
Username string `json:"username"`
|
|
Name string `json:"name"`
|
|
Email string `json:"email"`
|
|
URL string `json:"url"`
|
|
}
|
|
if err := json.Unmarshal(data, &tmp); err != nil {
|
|
return err
|
|
}
|
|
u.Username = tmp.Username
|
|
u.Name = tmp.Name
|
|
u.Email = tmp.Email
|
|
u.URL = tmp.URL
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// Repository https://github.com/npm/registry/blob/master/docs/REGISTRY-API.md#version
|
|
type Repository struct {
|
|
Type string `json:"type"`
|
|
URL string `json:"url"`
|
|
}
|
|
|
|
// PackageAttachment https://github.com/npm/registry/blob/master/docs/REGISTRY-API.md#package
|
|
type PackageAttachment struct {
|
|
ContentType string `json:"content_type"`
|
|
Data string `json:"data"`
|
|
Length int `json:"length"`
|
|
}
|
|
|
|
type packageUpload struct {
|
|
PackageMetadata
|
|
Attachments map[string]*PackageAttachment `json:"_attachments"`
|
|
}
|
|
|
|
// ParsePackage parses the content into a npm package
|
|
func ParsePackage(r io.Reader) (*Package, error) {
|
|
var upload packageUpload
|
|
if err := json.NewDecoder(r).Decode(&upload); err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
for _, meta := range upload.Versions {
|
|
if !validateName(meta.Name) {
|
|
return nil, ErrInvalidPackageName
|
|
}
|
|
|
|
v, err := version.NewSemver(meta.Version)
|
|
if err != nil {
|
|
return nil, ErrInvalidPackageVersion
|
|
}
|
|
|
|
scope := ""
|
|
name := meta.Name
|
|
nameParts := strings.SplitN(meta.Name, "/", 2)
|
|
if len(nameParts) == 2 {
|
|
scope = nameParts[0]
|
|
name = nameParts[1]
|
|
}
|
|
|
|
if !validation.IsValidURL(meta.Homepage) {
|
|
meta.Homepage = ""
|
|
}
|
|
|
|
p := &Package{
|
|
Name: meta.Name,
|
|
Version: v.String(),
|
|
DistTags: make([]string, 0, 1),
|
|
Metadata: Metadata{
|
|
Scope: scope,
|
|
Name: name,
|
|
Description: meta.Description,
|
|
Author: meta.Author.Name,
|
|
License: meta.License,
|
|
ProjectURL: meta.Homepage,
|
|
Keywords: meta.Keywords,
|
|
Dependencies: meta.Dependencies,
|
|
DevelopmentDependencies: meta.DevDependencies,
|
|
PeerDependencies: meta.PeerDependencies,
|
|
OptionalDependencies: meta.OptionalDependencies,
|
|
Bin: meta.Bin,
|
|
Readme: meta.Readme,
|
|
},
|
|
}
|
|
|
|
for tag := range upload.DistTags {
|
|
p.DistTags = append(p.DistTags, tag)
|
|
}
|
|
|
|
p.Filename = strings.ToLower(fmt.Sprintf("%s-%s.tgz", name, p.Version))
|
|
|
|
attachment := func() *PackageAttachment {
|
|
for _, a := range upload.Attachments {
|
|
return a
|
|
}
|
|
return nil
|
|
}()
|
|
if attachment == nil || len(attachment.Data) == 0 {
|
|
return nil, ErrInvalidAttachment
|
|
}
|
|
|
|
data, err := base64.StdEncoding.DecodeString(attachment.Data)
|
|
if err != nil {
|
|
return nil, ErrInvalidAttachment
|
|
}
|
|
p.Data = data
|
|
|
|
integrity := strings.SplitN(meta.Dist.Integrity, "-", 2)
|
|
if len(integrity) != 2 {
|
|
return nil, ErrInvalidIntegrity
|
|
}
|
|
integrityHash, err := base64.StdEncoding.DecodeString(integrity[1])
|
|
if err != nil {
|
|
return nil, ErrInvalidIntegrity
|
|
}
|
|
var hash []byte
|
|
switch integrity[0] {
|
|
case "sha1":
|
|
tmp := sha1.Sum(data)
|
|
hash = tmp[:]
|
|
case "sha512":
|
|
tmp := sha512.Sum512(data)
|
|
hash = tmp[:]
|
|
}
|
|
if !bytes.Equal(integrityHash, hash) {
|
|
return nil, ErrInvalidIntegrity
|
|
}
|
|
|
|
return p, nil
|
|
}
|
|
|
|
return nil, ErrInvalidPackage
|
|
}
|
|
|
|
func validateName(name string) bool {
|
|
if strings.TrimSpace(name) != name {
|
|
return false
|
|
}
|
|
if len(name) == 0 || len(name) > 214 {
|
|
return false
|
|
}
|
|
return nameMatch.MatchString(name)
|
|
}
|