resolved several open issues (#43)

* added 'invalid_uri_scheme' * added tests for wrong path and invalid uri scheme * adding line separator test and some refactoring * adding the securitytxt.org summary for the security.txt * changed the line separator check * bump to version 0.8 * fix for invalid_cert issue reported twice * added an error if a signed security.txt is not correctly formatted according to the RFC * bumped version to 0.8.1 for bug fix * changed the wrong pgp message --------- Co-authored-by: SanderKools <[email protected]>
DigitalTrustCenter · Feb 21, 2023 · 0143a96 · 0143a96
1 parent 4495590
commit 0143a96
Show file tree

Hide file tree

Showing 3 changed files with 15 additions and 4 deletions.
diff --git a/README.md b/README.md
@@ -72,6 +72,7 @@ a dict with three keys:
 | "empty_value"        | "Field value must not be empty."                                                                                                                                       |
 | "invalid_line"       | "Line must contain a field name and value, unless the line is blank or contains a comment."                                                                            |
 | "no_line_separators" | "Every line must end with either a carriage return and line feed characters or just a line feed character"                                                             |
+| "signed_format_issue"| "Signed security.txt files must start with the begin pgp signed message as the document header"                                                                        |
 
 ### Possible recommendations
 

diff --git a/sectxt/__init__.py b/sectxt/__init__.py
@@ -18,7 +18,7 @@
 import dateutil.parser
 import requests
 
-__version__ = "0.8"
+__version__ = "0.8.1"
 
 s = requests.Session()
 
@@ -120,7 +120,11 @@ def _parse_line(self, line: str) -> LineDict:
         if self._signed and not self._reading_sig and line.startswith("- "):
             line = line[2:]
 
-        if line == "-----BEGIN PGP SIGNED MESSAGE-----" and self._line_no == 1:
+        if line == "-----BEGIN PGP SIGNED MESSAGE-----":
+            if self._line_no != 1:
+                self._add_error(
+                    "signed_format_issue",
+                    "Signed security.txt files must start with the begin pgp signed message as the document header")
             self._signed = True
             return {"type": "pgp_envelope", "field_name": None, "value": line}
 
@@ -357,8 +361,8 @@ def _process(self) -> None:
                 try:
                     resp = requests.get(url, timeout=5)
                 except requests.exceptions.SSLError:
-                    self._add_error("invalid_cert", "security.txt must be "
-                                                    "served with a valid TLS certificate.")
+                    if not any(d['code'] == 'invalid_cert' for d in self._errors):
+                        self._add_error("invalid_cert", "security.txt must be served with a valid TLS certificate.")
                     try:
                         resp = requests.get(url, timeout=5, verify=False)
                     except:

diff --git a/test/test_sectxt.py b/test/test_sectxt.py
@@ -140,6 +140,12 @@ def test_signed_dash_escaped(self):
         p = Parser(content)
         self.assertTrue(p.is_valid())
 
+    def test_pgp_signed_formatting(self):
+        content = "\r\n" + _signed_example
+        p = Parser(content)
+        self.assertFalse(p.is_valid())
+        self.assertTrue(any(d['code'] == 'signed_format_issue' for d in p.errors))
+
     def test_unknown_fields(self):
         # Define a security.txt that contains unknown fields (but is valid).
         # The fields Last-updated and Unknown, should be marked as unknown.