invalid purls should not be parsed

[armijnhemel]

The current packageurl package allows parsing of purls that are not valid according to the specification. Let's take this purl:

pkg:sid/@busybox.org/busybox@1.35.0

This is parsed as:

>>> import packageurl
>>> purl = 'pkg:sid/@busybox.org/busybox@1.35.0'
>>> packageurl.PackageURL.from_string(purl)
PackageURL(type='sid', namespace='@busybox.org', name='busybox', version='1.35.0', qualifiers={}, subpath=None)

which is invalid. According to section 5.2 of the ECMA standard the @ is a so called "separator character":

the Separator Characters :/@?=&# (colon ':', slash '/', at sign '@', question mark '?', equal sign '=', ampersand '&' and hash sign '#')

Section 5.3 then specifies:

'@' (at sign) is the separator between name and version

and it cannot appear anywhere else. This means that @ can never appear before the name part of a purl and reporting @busybox.org for the namespace is wrong.

[armijnhemel]

Similar:

>>> purl = 'pkg:sid/=busybox.org/busybox@1.35.0'
>>> packageurl.PackageURL.from_string(purl)
PackageURL(type='sid', namespace='=busybox.org', name='busybox', version='1.35.0', qualifiers={}, subpath=None)

>>> purl = 'pkg:sid/&busybox.org/busybox@1.35.0'
>>> packageurl.PackageURL.from_string(purl)
PackageURL(type='sid', namespace='&busybox.org', name='busybox', version='1.35.0', qualifiers={}, subpath=None)

This should not happen.

[armijnhemel]

>>> purl = 'pkg:sid/:busybox.org/busybox@1.35.0'
>>> packageurl.PackageURL.from_string(purl)
PackageURL(type='sid', namespace=':busybox.org', name='busybox', version='1.35.0', qualifiers={}, subpath=None)

Should not happen.

[pombredanne]

The parsing in that library is flexible and recovering from many common small flaws.
You should use the validation methods instead

>>> packageurl.PackageURL.validate_string(purl, True)
[ValidationMessage(severity=<ValidationSeverity.ERROR: 'error'>, message="Unexpected purl type: expected 'sid'")]
>>> purl = 'pkg:sid/:busybox.org/busybox@1.35.0'
>>> packageurl.PackageURL.validate_string(purl, True)
[ValidationMessage(severity=<ValidationSeverity.ERROR: 'error'>, message="Unexpected purl type: expected 'sid'")]
>>> purl = 'pkg:sid/=busybox.org/busybox@1.35.0'
>>> packageurl.PackageURL.validate_string(purl, strict=True)
[ValidationMessage(severity=<ValidationSeverity.ERROR: 'error'>, message="Unexpected purl type: expected 'sid'")]
>>> purl = 'pkg:sid/&busybox.org/busybox@1.35.0'
>>> packageurl.PackageURL.validate_string(purl, strict=True)
[ValidationMessage(severity=<ValidationSeverity.ERROR: 'error'>, message="Unexpected purl type: expected 'sid'")]

Note that the messages are not perfect and should be updated.

[armijnhemel]

so from_string() does not automatically validate? that feels like lost opportunity.

Also sid as the purl type is not the problem I am trying to address.

[armijnhemel]

and it cannot appear anywhere else. This means that @ can never appear before the name part of a purl and reporting @busybox.org for the namespace is wrong.

Unless I am reading the spec wrong, which is possible, because things are not always clearly worded.

[armijnhemel]

After rereading section 5.4 of the specification I have the feeling that I am correct:

The following characters shall not be percent-encoded:

    the Alphanumeric Characters
    the Punctuation Characters
    the Separator Characters when being used as PURL separators
    the colon ':', whether used as a Separator Character or otherwise
    the percent sign '%' when used to represent a percent-encoded character

meaning that the separator characters should be percent-encoded when used the way I use them in the examples. This is not validated correctly:

>>> packageurl.PackageURL.validate_string("pkg:deb/=debian/curl@7.50.3-1?arch=i386&distro=jessie")
[]
>>> packageurl.PackageURL.from_string("pkg:deb/=debian/curl@7.50.3-1?arch=i386&distro=jessie")
PackageURL(type='deb', namespace='=debian', name='curl', version='7.50.3-1', qualifiers={'arch': 'i386', 'distro': 'jessie'}, subpath=None)

[armijnhemel]

Of course, if section 5.4 should be read as "the Separator Characters when being used as PURL separators in the relevant components" (which it doesn't say, so this is ambigious).

Oh, that also doesn't work correctly:

>>> packageurl.PackageURL.validate_string("pkg:deb/debian/debian/curl@7.50.3-1?arch=i386&distro=jessie")
[]
>>> packageurl.PackageURL.from_string("pkg:deb/debian/debian/curl@7.50.3-1?arch=i386&distro=jessie")
PackageURL(type='deb', namespace='debian/debian', name='curl', version='7.50.3-1', qualifiers={'arch': 'i386', 'distro': 'jessie'}, subpath=None)

because (section 5.3):

'/' (slash) is the separator between type, namespace and name

[armijnhemel]

Section 5.3:

Where the space ' ' is permitted, it shall be percent-encoded as '%20'.

Invalid purl is accepted though:

>>> packageurl.PackageURL.validate_string("pkg:deb/debian debian/curl@7.50.3-1?arch=i386&distro=jessie")
[]
>>> packageurl.PackageURL.from_string("pkg:deb/debian debian/curl@7.50.3-1?arch=i386&distro=jessie")
PackageURL(type='deb', namespace='debian debian', name='curl', version='7.50.3-1', qualifiers={'arch': 'i386', 'distro': 'jessie'}, subpath=None)

[pombredanne]

if this is not validated correctly, that's a bug in the validation.