NPM upload: the saj parser can pick up the wrong elements

🔥 Problem

The NPM package registry will process the uploads. In other words, it will start a background job that will look at the uploaded file.

Among other things, it will parse the package.json from the tarball and try to extract the name, version and scripts fields.

The implementation of this part is done using oj saj parsers. These are very similar to event based parsers (they scan the json document and emit events for each token parsed).

This logic has a flaw as it doesn't take into account the depth of the elements we're looking for. In other words, with this structure:

{
  ...
  "key": { "name" : "not_this_one" },
  "name": "test",
  ...
}

the backend will read not_this_one instead of test for the name key.

🚒 Solution

Given that we already check the size of the package.json file when we extract it from the tarball, it is safe to parse the entire document in one go.

In other words, we can simply use the regular Gitlab::Json.parse to parse the entire document and then out of this result, simply call parsed_json['name']. This access is guaranteed to return the top level name key which is what we want.

🔮 Other considerations

This should be backported to %17.1 and %17.0 which are the other versions that contain the saj parser.