ngclient: consistently encode URLs #1634

jku · 2021-10-25T07:25:17Z

Currently we do not explicitly URL-encode rolenames (or target paths) when we use them in URLs. Let's review this code and make a conscious decisions about this.

My original thinking on this was that it's a specification issue: we can't just start encoding e.g. rolenames if the spec does not say we should... but thinking on it further I've started to believe that

spec should specify how URLS are formed and what must be URL encoded and when
but we can be more explicit in ngclient before that: it should not break anything that currently works

The latter point is true because requests (the http library) already encodes everything that would be illegal in a URL behind our backs: so emojis, non-ascii characters, most symbols are already being encoded, just not explicitly by us. Only some specific symbols that may be valid in URLs are maybe not encoded (examples: /, #, ?, &).

My current thinking is:

we should not require rolenames to be encoded: they are just strings
we should encode rolenames before using them in URLs. This should not break any reasonable rolename and is going to be safer

I am not as sure about target paths: they are URL-paths and we could just require them to be URL-encoded already (and maybe even validate that they are encoded?). At the very least we can't encode "/" in target paths because it's valid in a path: this leads me to think we should just require the target path to be correctly encoded already? An additional wrinkle for target paths is that the spec requires us to actually modify the path in quite tricky ways for consistent targets...

kairoaraujo · 2021-12-08T10:34:14Z

I want to work on this issue.

This commit explicitly encodes role names. Also, a slight change in the RepositorySimulator will align with the tests. This commit partially covers issue theupdateframework#1634 Signed-off-by: Kairo de Araujo <[email protected]>

This commit explicitly encodes role names. Mostly this encoding is already happening in ``requests`` for what is not a URL. The "/" in a role name will now be encoded. Also, a slight change in the RepositorySimulator will align with the tests. This commit partially covers issue theupdateframework#1634 Signed-off-by: Kairo de Araujo <[email protected]>

kairoaraujo · 2022-01-20T13:55:38Z

Should we close this one? 🤔 or at least remove the 1.0.0 blocker tag?

jku · 2022-01-25T14:21:32Z

I think it's done:

rolenames in URLs are now handled explicitly (practical results are 99.9% same as before but now the encoding is visible and testable)
target urls do use hashes and targetpath (that both come from remote) but there isn't really anything we can do -- I suppose we could test that they are valid url parts or look for constructs like "../" in them... but I don't see major benefits from doing so.

Closing.

jku added the ngclient label Oct 25, 2021

sechkova added the backlog Issues to address with priority for current development goals label Oct 27, 2021

sechkova added this to the Sprint 14 milestone Dec 8, 2021

jku mentioned this issue Dec 8, 2021

Version 1.0 release strategy #1645

Closed

sechkova assigned kairoaraujo Dec 8, 2021

kairoaraujo mentioned this issue Jan 6, 2022

Explicit encode role names #1759

Merged

3 tasks

jku added the 1.0.0 blockers To be addressed before 1.0.0 release label Jan 12, 2022

jku modified the milestones: Sprint 14, Sprint 15 Jan 12, 2022

jku closed this as completed Jan 25, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

ngclient: consistently encode URLs #1634

ngclient: consistently encode URLs #1634

jku commented Oct 25, 2021 •

edited

Loading

kairoaraujo commented Dec 8, 2021

kairoaraujo commented Jan 20, 2022

jku commented Jan 25, 2022

ngclient: consistently encode URLs #1634

ngclient: consistently encode URLs #1634

Comments

jku commented Oct 25, 2021 • edited Loading

kairoaraujo commented Dec 8, 2021

kairoaraujo commented Jan 20, 2022

jku commented Jan 25, 2022

jku commented Oct 25, 2021 •

edited

Loading