feat(conf): allow only npm.yandex-team.ru for tarballs

3a6842acece105b7a4de5c3c9a89c1ad78558140

1 files changed, 16 insertions, 4 deletions

diff --git a/build/plugins/lib/nots/package_manager/base/lockfile.py b/build/plugins/lib/nots/package_manager/base/lockfile.py
index 0dcccb40ef..5ff0cbf449 100644
--- a/build/plugins/lib/nots/package_manager/base/lockfile.py
+++ b/build/plugins/lib/nots/package_manager/base/lockfile.py
@@ -4,6 +4,17 @@ from abc import ABCMeta, abstractmethod
 from six import add_metaclass
 
 
+class LockfilePackageMetaInvalidError(RuntimeError):
+    pass
+
+
+def is_tarball_url_valid(tarball_url):
+    if not tarball_url.startswith("https://") and not tarball_url.startswith("http://"):
+        return True
+
+    return tarball_url.startswith("https://npm.yandex-team.ru/") or tarball_url.startswith("http://npm.yandex-team.ru/")
+
+
 class LockfilePackageMeta(object):
     """
     Basic struct representing package meta from lockfile.
@@ -16,6 +27,11 @@ class LockfilePackageMeta(object):
         return LockfilePackageMeta(*s.strip().split(" "))
 
     def __init__(self, key, tarball_url, sky_id, integrity, integrity_algorithm):
+        if not is_tarball_url_valid(tarball_url):
+            raise LockfilePackageMetaInvalidError(
+                "tarball can only point to npm.yandex-team.ru, got {}".format(tarball_url)
+            )
+
         # http://npm.yandex-team.ru/@scope%2fname/-/name-0.0.1.tgz
         parts = tarball_url.split("/")
 
@@ -37,10 +53,6 @@ class LockfilePackageMeta(object):
         return pkg_uri
 
 
-class LockfilePackageMetaInvalidError(RuntimeError):
-    pass
-
-
 @add_metaclass(ABCMeta)
 class BaseLockfile(object):
     @classmethod