fix: validate module names to disallow unallowed characters (#12025)

2025-03-28 22:39:39 +05:30
parent e998366aba
commit 2f7eb0ee03
5 changed files with 91 additions and 0 deletions
--- a/.changeset/strange-sloths-hope.md
+++ b/.changeset/strange-sloths-hope.md
@@ -0,0 +1,6 @@
+---
+"@medusajs/medusa": patch
+"@medusajs/utils": patch
+---
+
+fix: validate module names to disallow unallowed characters
--- a/packages/core/utils/src/common/tests/validate-module-name.spec.ts
+++ b/packages/core/utils/src/common/tests/validate-module-name.spec.ts
@@ -0,0 +1,54 @@
+import { validateModuleName } from "../validate-module-name"
+
+describe("validateModuleName", function () {
+  it("should disallow variable unsafe module names", function () {
+    const expectations = [
+      {
+        input: "hello-world",
+        state: "fail",
+      },
+      {
+        input: "hello_world",
+        state: "pass",
+      },
+      {
+        input: "1st_plugin",
+        state: "fail",
+      },
+      {
+        input: "plugin_1st",
+        state: "pass",
+      },
+      {
+        input: "acme.module",
+        state: "fail",
+      },
+      {
+        input: "acme$module",
+        state: "fail",
+      },
+      {
+        input: "$module",
+        state: "fail",
+      },
+      {
+        input: "_private_module",
+        state: "pass",
+      },
+      {
+        input: "acme&corp_module",
+        state: "fail",
+      },
+    ]
+
+    expectations.forEach((expectation) => {
+      if (expectation.state === "fail") {
+        expect(() => validateModuleName(expectation.input)).toThrow(
+          `Invalid module name "${expectation.input}". Module names must be alpha numeric and may contain an underscore`
+        )
+      } else {
+        expect(() => validateModuleName(expectation.input)).not.toThrow()
+      }
+    })
+  })
+})
--- a/packages/core/utils/src/common/index.ts
+++ b/packages/core/utils/src/common/index.ts
@@ -85,3 +85,4 @@ export * from "./unflatten-object-keys"
 export * from "./upper-case-first"
 export * from "./validate-handle"
 export * from "./wrap-handler"
+export * from "./validate-module-name"
--- a/packages/core/utils/src/common/validate-module-name.ts
+++ b/packages/core/utils/src/common/validate-module-name.ts
@@ -0,0 +1,25 @@
+/**
+ * Validates the module name to be variable safe. Since we generate
+ * a lot of code, types under the hood using the module name we
+ * have ensure that each module name is variable safe.
+ *
+ * Ofcourse, we can transform the module name to a variable safe value,
+ * but that might result into naming conflicts. For example: There are
+ * two module named as
+ *
+ * - sanity-products
+ * - sanity_products
+ *
+ * After transforming them, they will endup with the same output. This is
+ * a very simple example, but cases like these will lead to naming
+ * conflicts, so its better to use the names as it is and restrict
+ * them to be variable safe
+ */
+const RE = /^[a-zA-Z_][0-9a-zA-Z_]*$/
+export function validateModuleName(name: string) {
+  if (!RE.test(name)) {
+    throw new Error(
+      `Invalid module name "${name}". Module names must be alpha numeric and may contain an underscore`
+    )
+  }
+}
--- a/packages/medusa/src/loaders/index.ts
+++ b/packages/medusa/src/loaders/index.ts
@@ -19,6 +19,7 @@ import {
  GraphQLSchema,
  mergePluginModules,
  promiseAll,
+  validateModuleName,
 } from "@medusajs/framework/utils"
 import { WorkflowLoader } from "@medusajs/framework/workflows"
 import { asValue } from "awilix"
@@ -150,6 +151,10 @@ export default async ({
  const plugins = await getResolvedPlugins(rootDirectory, configModule, true)
  mergePluginModules(configModule, plugins)

+  Object.keys(configModule.modules ?? {}).forEach((key) => {
+    validateModuleName(key)
+  })
+
  const linksSourcePaths = plugins.map((plugin) =>
    join(plugin.resolve, "links")
  )