feat: validate versions to ensure they dont begin with special charac…

…ters (#47) Signed-off-by: Topaz Turkenitz <[email protected]>
package-url · Sep 5, 2023 · 58026c8 · 58026c8
1 parent 3e0e106
commit 58026c8
Show file tree

Hide file tree

Showing 2 changed files with 20 additions and 0 deletions.
diff --git a/src/package-url.js b/src/package-url.js
@@ -174,6 +174,14 @@ class PackageURL {
     if (path.includes('@')) {
       let index = path.indexOf('@');
       version = decodeURIComponent(path.substring(index + 1));
+
+      // Check that version doesnt contain special characters by checking if first char can be encoded
+      let tempEncoded = encodeURIComponent(version[0]);
+      let tempDecoded = decodeURIComponent(version[0]);
+
+      if (tempDecoded !== tempEncoded) {
+        throw new Error('Invalid purl: version should not include special characters');
+      }
       remainder = path.substring(0, index);
     } else {
       remainder = path;

diff --git a/test/data/test-suite-data.json b/test/data/test-suite-data.json
@@ -370,5 +370,17 @@
     "qualifiers": null,
     "subpath": null,
     "is_invalid": false
+  },
+  {
+    "description": "invalid maven purl",
+    "purl": "pkg:maven/org.apache.commons/io@@1.4.0",
+    "canonical_purl": "pkg:maven/org.apache.commons/io@@1.4.0",
+    "type": null,
+    "namespace": null,
+    "name": "io",
+    "version": null,
+    "qualifiers": null,
+    "subpath": null,
+    "is_invalid": true
   }
 ]