Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Simplified iri validation #1269

Draft
wants to merge 3 commits into
base: master
Choose a base branch
from
Draft

Simplified iri validation #1269

wants to merge 3 commits into from

Conversation

prabhu
Copy link
Contributor

@prabhu prabhu commented Jul 23, 2024
edited
Loading

Fixes #1244

@marob Any thoughts?

Turns out that there are bugs in the URL module in node 20 and 21! My latest commit only works in node 22 onwards.

I think we need to add more tests to validate-iri to prevent any future hangs.

@prabhu
Simplified iri validation
ca313f4 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@prabhu prabhu requested a review from setchy as a code owner July 23, 2024 20:49
@prabhu prabhu marked this pull request as draft July 23, 2024 21:15
@prabhu
Added more tests from validate-iri repo
98faafe 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@marob
Copy link
Contributor

marob commented Jul 23, 2024
edited
Loading

This would indeed simplify the code, but:

  • as you can see here, "http://" should be considered as valid. It's not by the new code, but to be honest, it was not by the previous code either. Anyway, in worst case, we remove something that should have been valid but don't break CycloneDX spec
  • " https://gitlab.com/behat-chrome/chrome-mink-driver.git " should be considered as invalid. It's not by the new code and was correctly handled by the previous one. So it would produce invalid SBOM.

I suppose there's plenty of other cases where there's false positive/negatives.
Maybe a better solution would be to try to fix validate-iri lib to prevent infinite regex analysis?

@prabhu
Copy link
Contributor Author

prabhu commented Jul 23, 2024

Regarding 2, we always trim before validation so the given test case may not happen?

The inspiration is to go for max validation without complex regex. I found validate-iri to be too complex to fix.

@marob
Copy link
Contributor

marob commented Jul 23, 2024

Do we put the trimmed value in the SBOM or the original value?

@marob
Copy link
Contributor

marob commented Jul 23, 2024

We put the trimmed value. So it looks OK for me.

@prabhu
Added more tests from validate-iri repo
6ba4ea1 
Signed-off-by: Prabhu Subramanian <prabhu@appthreat.com>
@setchy setchy removed their request for review September 4, 2024 09:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

[validation] Improve iri validation logic
2 participants
@prabhu @marob