From 58026c86978c6e356e5e07f29ecfdccbf8829918 Mon Sep 17 00:00:00 2001
From: Topaz T <topaztee@gmail.com>
Date: Tue, 5 Sep 2023 16:46:35 +0300
Subject: [PATCH] feat: validate versions to ensure they dont begin with
 special characters (#47)

Signed-off-by: Topaz Turkenitz <topaz.turkenitz@snyk.io>
---
 src/package-url.js             |  8 ++++++++
 test/data/test-suite-data.json | 12 ++++++++++++
 2 files changed, 20 insertions(+)

diff --git a/src/package-url.js b/src/package-url.js
index d931bcf..b1e72b9 100644
--- a/src/package-url.js
+++ b/src/package-url.js
@@ -174,6 +174,14 @@ class PackageURL {
     if (path.includes('@')) {
       let index = path.indexOf('@');
       version = decodeURIComponent(path.substring(index + 1));
+
+      // Check that version doesnt contain special characters by checking if first char can be encoded
+      let tempEncoded = encodeURIComponent(version[0]);
+      let tempDecoded = decodeURIComponent(version[0]);
+
+      if (tempDecoded !== tempEncoded) {
+        throw new Error('Invalid purl: version should not include special characters');
+      }
       remainder = path.substring(0, index);
     } else {
       remainder = path;
diff --git a/test/data/test-suite-data.json b/test/data/test-suite-data.json
index 220d079..5fad477 100644
--- a/test/data/test-suite-data.json
+++ b/test/data/test-suite-data.json
@@ -370,5 +370,17 @@
     "qualifiers": null,
     "subpath": null,
     "is_invalid": false
+  },
+  {
+    "description": "invalid maven purl",
+    "purl": "pkg:maven/org.apache.commons/io@@1.4.0",
+    "canonical_purl": "pkg:maven/org.apache.commons/io@@1.4.0",
+    "type": null,
+    "namespace": null,
+    "name": "io",
+    "version": null,
+    "qualifiers": null,
+    "subpath": null,
+    "is_invalid": true
   }
 ]