fix(middleware): encoding of scoped package name (#4874)

* fix(middleware): encoding of scope package name * Change order * Test description * debug * Add to tests
2024-12-16 21:56:25 -05:00 · 2024-10-01 02:31:42 -04:00 · 2024-10-01 02:31:42 -04:00 · 5bb81ebf91
commit 5bb81ebf91
parent 7902331894
3 changed files with 98 additions and 0 deletions
--- a/.changeset/nine-countries-remember.md
+++ b/.changeset/nine-countries-remember.md
@ -0,0 +1,5 @@
+---
+'@verdaccio/middleware': patch
+---
+
+fix(middleware): encoding of scope package name
--- a/packages/middleware/src/middlewares/encode-pkg.ts
+++ b/packages/middleware/src/middlewares/encode-pkg.ts
@ -1,5 +1,9 @@
+import buildDebug from 'debug';
+
 import { $NextFunctionVer, $RequestExtend, $ResponseExtend } from '../types';

+const debug = buildDebug('verdaccio:middleware:encode');
+
 /**
 * Encode / in a scoped package name to be matched as a single parameter in routes
 * @param req
@ -11,9 +15,16 @@ export function encodeScopePackage(
  res: $ResponseExtend,
  next: $NextFunctionVer
 ): void {
+  const original = req.url;
+  // If the @ sign is encoded, we need to decode it first
+  // e.g.: /%40org/pkg/1.2.3 -> /@org/pkg/1.2.3
+  if (req.url.indexOf('%40') !== -1) {
+    req.url = req.url.replace(/^\/%40/, '/@');
+  }
  if (req.url.indexOf('@') !== -1) {
    // e.g.: /@org/pkg/1.2.3 -> /@org%2Fpkg/1.2.3, /@org%2Fpkg/1.2.3 -> /@org%2Fpkg/1.2.3
    req.url = req.url.replace(/^(\/@[^\/%]+)\/(?!$)/, '$1%2F');
  }
+  debug('encodeScopePackage: %o -> %o', original, req.url);
  next();
 }
--- a/packages/middleware/test/encode.spec.ts
+++ b/packages/middleware/test/encode.spec.ts
@ -20,3 +20,85 @@ test('encode is json', async () => {
  expect(res.body).toEqual({ id: '@scope/foo' });
  expect(res.status).toEqual(HTTP_STATUS.OK);
 });
+
+test('packages with version/scope', async () => {
+  const app = getApp([]);
+  // @ts-ignore
+  app.use(encodeScopePackage);
+  // @ts-ignore
+  app.get('/:package/:version?', (req, res) => {
+    const { package: pkg, version } = req.params;
+    res.status(HTTP_STATUS.OK).json({ package: pkg, version });
+  });
+
+  const res = await request(app).get('/foo');
+  expect(res.body).toEqual({ package: 'foo' });
+  expect(res.status).toEqual(HTTP_STATUS.OK);
+
+  const res2 = await request(app).get('/foo/1.0.0');
+  expect(res2.body).toEqual({ package: 'foo', version: '1.0.0' });
+  expect(res2.status).toEqual(HTTP_STATUS.OK);
+
+  const res3 = await request(app).get('/@scope/foo');
+  expect(res3.body).toEqual({ package: '@scope/foo' });
+  expect(res3.status).toEqual(HTTP_STATUS.OK);
+
+  const res4 = await request(app).get('/@scope/foo/1.0.0');
+  expect(res4.body).toEqual({ package: '@scope/foo', version: '1.0.0' });
+  expect(res4.status).toEqual(HTTP_STATUS.OK);
+
+  const res5 = await request(app).get('/@scope%2ffoo');
+  expect(res5.body).toEqual({ package: '@scope/foo' });
+  expect(res5.status).toEqual(HTTP_STATUS.OK);
+
+  const res6 = await request(app).get('/@scope%2ffoo/1.0.0');
+  expect(res6.body).toEqual({ package: '@scope/foo', version: '1.0.0' });
+  expect(res6.status).toEqual(HTTP_STATUS.OK);
+
+  const res7 = await request(app).get('/%40scope%2ffoo');
+  expect(res7.body).toEqual({ package: '@scope/foo' });
+  expect(res7.status).toEqual(HTTP_STATUS.OK);
+
+  const res8 = await request(app).get('/%40scope%2ffoo/1.0.0');
+  expect(res8.body).toEqual({ package: '@scope/foo', version: '1.0.0' });
+  expect(res8.status).toEqual(HTTP_STATUS.OK);
+
+  const res9 = await request(app).get('/%40scope/foo');
+  expect(res9.body).toEqual({ package: '@scope/foo' });
+  expect(res9.status).toEqual(HTTP_STATUS.OK);
+
+  const res10 = await request(app).get('/%40scope/foo/1.0.0');
+  expect(res10.body).toEqual({ package: '@scope/foo', version: '1.0.0' });
+  expect(res10.status).toEqual(HTTP_STATUS.OK);
+});
+
+test('tarballs with and without scope', async () => {
+  const app = getApp([]);
+  // @ts-ignore
+  app.use(encodeScopePackage);
+  // @ts-ignore
+  app.get('/:package/-/:filename', (req, res) => {
+    const { package: pkg, filename } = req.params;
+    res.status(HTTP_STATUS.OK).json({ package: pkg, filename });
+  });
+
+  const res = await request(app).get('/foo/-/foo-1.2.3.tgz');
+  expect(res.body).toEqual({ package: 'foo', filename: 'foo-1.2.3.tgz' });
+  expect(res.status).toEqual(HTTP_STATUS.OK);
+
+  const res2 = await request(app).get('/@scope/foo/-/foo-1.2.3.tgz');
+  expect(res2.body).toEqual({ package: '@scope/foo', filename: 'foo-1.2.3.tgz' });
+  expect(res2.status).toEqual(HTTP_STATUS.OK);
+
+  const res3 = await request(app).get('/@scope%2ffoo/-/foo-1.2.3.tgz');
+  expect(res3.body).toEqual({ package: '@scope/foo', filename: 'foo-1.2.3.tgz' });
+  expect(res3.status).toEqual(HTTP_STATUS.OK);
+
+  const res4 = await request(app).get('/%40scope%2ffoo/-/foo-1.2.3.tgz');
+  expect(res4.body).toEqual({ package: '@scope/foo', filename: 'foo-1.2.3.tgz' });
+  expect(res4.status).toEqual(HTTP_STATUS.OK);
+
+  const res5 = await request(app).get('/%40scope/foo/-/foo-1.2.3.tgz');
+  expect(res5.body).toEqual({ package: '@scope/foo', filename: 'foo-1.2.3.tgz' });
+  expect(res5.status).toEqual(HTTP_STATUS.OK);
+});