feat: allows package.json as package name (#1149)

Author: juanpicado

src/lib/local-storage.js

@@ -409,7 +409,7 @@ class LocalStorage implements IStorage {
       _transform.apply(uploadStream, arguments);
     };
 
-    if (name === pkgFileName || name === '__proto__') {
+    if (name === '__proto__') {
       process.nextTick(() => {
         uploadStream.emit('error', ErrorCode.getForbidden());
       });

src/lib/utils.js

@@ -75,7 +75,6 @@ function validateName(name: string): boolean {
     name.charAt(0) === '-' || // "-" is reserved by couchdb
     name === 'node_modules' ||
     name === '__proto__' ||
-    name === 'package.json' ||
     name === 'favicon.ico'
   );
 }

test/functional/sanity/security.js

@@ -9,7 +9,7 @@ export default function(server) {
     });
 
     test('should fails on fetch bad pkg #1', () => {
-      return server.getPackage('package.json')
+      return server.getPackage('__proto__')
         .status(HTTP_STATUS.FORBIDDEN)
         .body_error(/invalid package/);
     });
@@ -31,8 +31,8 @@ export default function(server) {
         });
     });
 
-    test('should fails and do not return package.json as an attachment', () => {
-      return server.request({uri: '/testpkg-sec/-/package.json'})
+    test('should fails and do not return __proto__ as an attachment', () => {
+      return server.request({uri: '/testpkg-sec/-/__proto__'})
         .status(HTTP_STATUS.FORBIDDEN)
         .body_error(/invalid filename/);
     });
@@ -49,7 +49,7 @@ export default function(server) {
     });
 
     test('should fails on fetch silly things - writing #1', () => {
-      return server.putTarball('testpkg-sec', 'package.json', '{}')
+      return server.putTarball('testpkg-sec', '__proto__', '{}')
         .status(HTTP_STATUS.FORBIDDEN)
         .body_error(/invalid filename/);
     });

test/unit/api/local-storage.spec.js

@@ -344,7 +344,7 @@ describe('LocalStorage', () => {
           stream.on('error', (err) => {
             expect(err).not.toBeNull();
             expect(err.statusCode).toEqual(HTTP_STATUS.CONFLICT);
-            expect(err.message).toMatch(/this package is already present/); 
+            expect(err.message).toMatch(/this package is already present/);
           });
           stream.on('success', function(){
             expect(spy).toHaveBeenCalled();
@@ -385,7 +385,7 @@ describe('LocalStorage', () => {
         });
 
         test('should fails on abort on add a new tarball', (done) => {
-          const stream = storage.addTarball('package.json', `${pkgName}-fails-add-tarball-1.0.4.tgz`);
+          const stream = storage.addTarball('__proto__', `${pkgName}-fails-add-tarball-1.0.4.tgz`);
           stream.abort();
           stream.on('error', function(err) {
             expect(err).not.toBeNull();

test/unit/api/utils.spec.js

@@ -59,10 +59,6 @@ describe('Utilities', () => {
       assert(validate('JSONStream'));
     });
 
-    test('no package.json', () => {
-      assert(!validate('package.json'));
-    });
-
     test('no path seps', () => {
       assert(!validate('some/thing'));
       assert(!validate('some\\thing'));