0
Fork 0
mirror of https://github.com/verdaccio/verdaccio.git synced 2024-12-30 22:34:10 -05:00

chore(store): fix polynominal regex codeql (#4332)

This commit is contained in:
Marc Bernard 2024-01-06 13:25:07 +01:00 committed by GitHub
parent 1c5106ec6f
commit e14b064a38
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
4 changed files with 46 additions and 2 deletions

View file

@ -0,0 +1,7 @@
---
'@verdaccio/store': patch
'@verdaccio/tarball': patch
---
- Fixes polynomial regular expression when determining the file name of tarball
- Add tests for extracting tarball name

View file

@ -4,6 +4,6 @@ export {
convertDistRemoteToLocalTarballUrls,
convertDistVersionToLocalTarballsUrl,
} from './convertDistRemoteToLocalTarballUrls';
export { getLocalRegistryTarballUri } from './getLocalRegistryTarballUri';
export { extractTarballFromUrl, getLocalRegistryTarballUri } from './getLocalRegistryTarballUri';
export { RequestOptions };

View file

@ -0,0 +1,36 @@
import { extractTarballFromUrl } from '../src';
describe('extractTarballFromUrl', () => {
const metadata: any = {
name: 'npm_test',
versions: {
'1.0.0': {
dist: {
tarball: 'http://registry.org/npm_test/-/npm_test-1.0.0.tgz',
},
},
'1.0.1': {
dist: {
tarball: 'npm_test-1.0.1.tgz',
},
},
'1.0.2': {
dist: {
tarball: 'https://localhost/npm_test-1.0.2.tgz',
},
},
},
};
test('should return only name of tarball', () => {
expect(extractTarballFromUrl(metadata.versions['1.0.0'].dist.tarball)).toEqual(
'npm_test-1.0.0.tgz'
);
expect(extractTarballFromUrl(metadata.versions['1.0.1'].dist.tarball)).toEqual(
'npm_test-1.0.1.tgz'
);
expect(extractTarballFromUrl(metadata.versions['1.0.2'].dist.tarball)).toEqual(
'npm_test-1.0.2.tgz'
);
});
});

View file

@ -27,6 +27,7 @@ import { IProxy, ISyncUplinksOptions, ProxySearchParams, ProxyStorage } from '@v
import {
convertDistRemoteToLocalTarballUrls,
convertDistVersionToLocalTarballsUrl,
extractTarballFromUrl,
} from '@verdaccio/tarball';
import {
AbbreviatedManifest,
@ -1345,7 +1346,7 @@ class Storage {
// if uploaded tarball has a different shasum, it's very likely that we
// have some kind of error
if (validatioUtils.isObject(metadata.dist) && _.isString(metadata.dist.tarball)) {
const tarball = metadata.dist.tarball.replace(/.*\//, '');
const tarball = extractTarballFromUrl(metadata.dist.tarball);
if (validatioUtils.isObject(data._attachments[tarball])) {
if (
_.isNil(data._attachments[tarball].shasum) === false &&