Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't require encoding for namespaced packages #420

Closed
scovetta opened this issue May 15, 2023 · 5 comments · Fixed by #433
Closed

Don't require encoding for namespaced packages #420

scovetta opened this issue May 15, 2023 · 5 comments · Fixed by #433
Assignees
@gfs

Comments

@scovetta
Copy link
Member

Currently, we require namespaced packages to have the @ and / symbols encoded. I don't recall precisely why this was needed, but we should fix this so that you can just have, for example:

oss-download pkg:npm/@microsoft/fast-web-utilities

Ref: #418
@scovetta scovetta mentioned this issue May 15, 2023
Closed
@gfs gfs self-assigned this May 15, 2023
@pmalmsten
Copy link
Contributor

@scovetta @gfs You might want to be careful before doing this. As I mentioned on #418, the Package URL spec expects @ to be percent-encoded in package names in order to avoid parsing ambiguity, since @ indicates that characters to the right should be interpreted as a version string. The implications of accepting package URLs that deviate from the spec might be difficult to predict.

Maybe instead we could improve the error messaging? E.g. if a given Package URL fails to parse, we could check for cases like this (e.g. the package URL looks like an npm package, with @ in the namespace position) and print a more helpful error message explaining that namespace and `name components of package URLs need to be percent-encoded?

@gfs
Copy link
Contributor

gfs commented May 16, 2023

I think the reporting user makes a fair point that even if that is what the spec says it's not very intuitive.

Particularly for handling perhaps manually typed input on a command line if we can reasonably detect this case where the @ for the namespace needs to be encoded why don't we just automatically do it on the users behalf?

@scovetta
Copy link
Member Author

Actually, I think we deviate from the spec too a bit - in at least some cases, we require the slash separator between namespace and name to be encoded. This means we get namespace=[blank] and name=foo%2fbar. I don't recall why this was needed.

// FAILS
oss-download pkg:npm/%40microsoft/fast-web-utilities

// SUCCESS
oss-download pkg:npm/%40microsoft%2ffast-web-utilities

According to the spec, that / separator between namespace and name must not be encoded.

@pmalmsten
Copy link
Contributor

Particularly for handling perhaps manually typed input on a command line if we can reasonably detect this case where the @ for the namespace needs to be encoded why don't we just automatically do it on the users behalf?

@gfs That's not an unreasonable point. I can't think of any way that might go wrong - but that said, the types of subtle bugs that can result from tolerating deviations from specs tend to be hard to predict.

If you go forward with that approach, would you mind keeping that tolerant parsing behavior at the CLI layer? For Terrapin (which consumes the Shared and oss-find-squats-lib libraries), strict compliance with spec is part of how we make sure subtle bugs in our system get surfaced while handling millions of distinct package versions. (I think those libraries primarly work with already-parsed Package URL objects so this point might be a non-issue - but I thought I would mention it just in case any part(s) of those libraries accepts package URLs as strings).

@gfs
Copy link
Contributor

gfs commented May 16, 2023 via email

gfs added a commit that referenced this issue Jun 20, 2023
@gfs
Replace @ with %40 when provided in the namespace of a purl
7741062 
In the oss-download CLI its inconvenient (and perhaps unintuitive) to the user to manually escape their @. If we detect an unescaped @ that is in the first character of a namespace component of the purl we can replace it with %40.
Fix #420
@gfs gfs mentioned this issue Jun 20, 2023
Merged
@gfs gfs closed this as completed in #433 Jun 22, 2023
gfs added a commit that referenced this issue Jun 22, 2023
@gfs
Fix Npm Project Manager's Download Version Async respecting namespaces (
bc0a736 
#433)

* Fix Npm Project Manager's Download Version Async respecting namespaces

* Replace @ with %40 when provided in the namespace of a purl

In the oss-download CLI its inconvenient (and perhaps unintuitive) to the user to manually escape their @. If we detect an unescaped @ that is in the first character of a namespace component of the purl we can replace it with %40.
Fix #420

* Update DownloadTool.cs
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@gfs gfs

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix Npm Project Manager's Download Version Async respecting namespaces microsoft/OSSGadget
3 participants
@gfs @scovetta @pmalmsten