From 3374b502a2b7ef8d49dbce1d1f7d6224b66c4b52 Mon Sep 17 00:00:00 2001
From: Julian Gruber <julian@juliangruber.com>
Date: Tue, 15 May 2018 12:22:22 +0200
Subject: [PATCH] fix handling of invalid semvers. closes #47

---
 index.js      | 7 +++++++
 test/index.js | 7 +++++++
 2 files changed, 14 insertions(+)

diff --git a/index.js b/index.js
index d72e6f60..ba19e70f 100644
--- a/index.js
+++ b/index.js
@@ -55,6 +55,8 @@ class Updates {
     const [account, repository, platform, version, file] = segs
     if (!account || !repository || !platform || !version) {
       redirect(res, 'https://github.com/electron/update.electronjs.org')
+    } else if (version && !semver.valid(version)) {
+      badRequest(res, `Invalid SemVer: "${version}"`)
     } else if (file === 'RELEASES') {
       await this.handleReleases(res, account, repository)
     } else {
@@ -199,6 +201,11 @@ const notFound = res => {
   res.end('Not found')
 }
 
+const badRequest = (res, message) => {
+  res.statusCode = 400
+  res.end(message)
+}
+
 const noContent = res => {
   res.statusCode = 204
   res.end()
diff --git a/test/index.js b/test/index.js
index ed6fb795..c9ba9211 100644
--- a/test/index.js
+++ b/test/index.js
@@ -181,6 +181,13 @@ test('Updates', async t => {
       }
     })
 
+    await t.test('invalid semver', async t => {
+      const res = await fetch(`${address}/owner/repo/darwin/latest`)
+      t.equal(res.status, 400)
+      const body = await res.text()
+      t.equal(body, 'Invalid SemVer: "latest"')
+    })
+
     await t.test('exists but has no releases', async t => {
       for (let i = 0; i < 2; i++) {
         const res = await fetch(