Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix minor holes in PEP-508 name validation #1762

Merged
merged 2 commits into from
Apr 30, 2024
Merged

Conversation

rmartin16
Copy link
Member

@rmartin16 rmartin16 commented Apr 29, 2024

Changes

  • This resolves a hole in the recommended implementation of name validation from PEP-508 to avoid allowing non-ASCII values.
The regex (run with re.IGNORECASE) is:

^([A-Z0-9]|[A-Z0-9][A-Z0-9._-]*[A-Z0-9])$
  • The implementation of re.IGNORECASE is ostensibly coercing the case of the input because it will match on non-ASCII.
    • This matters for, at least, İ (0x130) and K (0x212a).
>>> import re
>>> PEP508_NAME_RE = re.compile(r"^([A-Z0-9]|[A-Z0-9][A-Z0-9._-]*[A-Z0-9])$", re.IGNORECASE)
>>> 
>>> bool(PEP508_NAME_RE.match("helloworld"))
True
>>> bool(PEP508_NAME_RE.match("İstanbul"))
True
>>> bool(PEP508_NAME_RE.match("Kelvin"))
True
>>> bool(PEP508_NAME_RE.match("Æolia"))
False
>>> bool(PEP508_NAME_RE.match("jalapeño"))
False
>>> bool(PEP508_NAME_RE.match("Beyoncé"))
False
>>> bool(PEP508_NAME_RE.match("naïve"))
False

Related

PR Checklist:

  • All new features have been tested
  • All new features have been documented
  • I have read the CONTRIBUTING.md file
  • I will abide by the code of conduct

@rmartin16
Copy link
Member Author

rmartin16 commented Apr 29, 2024

PEP-508 says PyPI uses this regex...and indeed, it appears they do.

However, packaging.requirements.Requirement doesn't use re.IGNORECASE....so, even if you get such a package on to PyPI, it seems likely pip or another tool will reject it at some point.

@rmartin16 rmartin16 marked this pull request as ready for review April 29, 2024 19:17
Copy link
Member

@freakboy3742 freakboy3742 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's an odd discrepancy, but I can't argue with the practicality. A couple of minor clarification suggestions, including preserving the symmetry of the dotless-i test case.

src/briefcase/config.py Outdated Show resolved Hide resolved
tests/config/test_is_valid_app_name.py Outdated Show resolved Hide resolved
@freakboy3742 freakboy3742 merged commit e43a9f4 into beeware:main Apr 30, 2024
51 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants