client: add dist-git URL validation from client side

osh/client/commands/common.py

@@ -1,6 +1,11 @@
 # SPDX-License-Identifier: GPL-3.0-or-later
 # SPDX-FileCopyrightText: Copyright contributors to the OpenScanHub project.
 
+import optparse
+import sys
+from urllib.parse import urlparse, urlunparse
+
+
 def add_download_results_option(parser):
     parser.add_option(
         "-d",
@@ -121,10 +126,44 @@ def add_nvr_option(parser):
     )
 
 
+def is_valid_git_url(url):
+    try:
+        parsed_url = urlparse(url)
+        # Check for valid URL schemes, there could exist an optional 'git+' prefix
+        valid_schemes = ["http", "https", "git+http", "git+https"]
+        # special chars set, to avoid potential command injections
+        invalid_chars = set(';|&$>< \t\n\'"\\')
+
+        if parsed_url.scheme not in valid_schemes or not parsed_url.netloc or not parsed_url.path:
+            return False
+
+        # Check for invalid characters in netloc and path
+        if any(char in invalid_chars for char in parsed_url.netloc + parsed_url.path):
+            return False
+
+        # rebuild the URL, for validation/sanitization.
+        return url == urlunparse(parsed_url)
+
+    except Exception as e:  # noqa: B902
+        print('Exception:', e, file=sys.stderr)
+        return False
+
+
+def validate_git_url(option, opt_str, value, parser):
+
+    if value is None or not is_valid_git_url(value):
+        raise optparse.OptionValueError(f"Invalid dist-git URL specified: {value}")
+
+    setattr(parser.values, option.dest, value)
+
+
 def add_dist_git_url_option(parser):
     parser.add_option(
         "--git-url",
         metavar="DIST_GIT_URL",
+        action="callback",
+        type="string",
+        callback=validate_git_url,
         help="use a dist-git URL(specified by git-url) instead of a local file"
     )