Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Invalid CPE regular expression #156

Closed
ctron opened this issue Feb 20, 2024 · 19 comments · Fixed by #171
Closed

Invalid CPE regular expression #156

ctron opened this issue Feb 20, 2024 · 19 comments · Fixed by #171
Assignees
Labels
investigation needed Something needs to be investigated or researched

Comments

@ctron
Copy link

ctron commented Feb 20, 2024

Running the validation for csaf_2_0 and csaf_2_0_strict, I get the following error:

"csaf_2_0: must match pattern \"^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$\"", "csaf_2_0_strict: must match pattern \"^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!\"#\\$%&'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$\""

Testing again the following CPE: cpe:/o:redhat:enterprise_linux:8::fastdatapath (which seems valid to me).

Testing with another regular expression too, I get an error that the regular expression is invalid for ECMAScript. Caused by two missing escape backslashes:

Diff:

- ^(cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#\$%&'\(\)\+,/:;<=>@\[\]\^`\{\|\}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#\$%&'\(\)\+,/:;<=>@\[\]\^`\{\|\}~]))+(\?*|\*?))|[\*\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6})$"", "csaf_2_0_strict: must match pattern "^(cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#\$%&'\(\)\+,/:;<=>@\[\]\^`\{\|\}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#\$%&'\(\)\+,/:;<=>@\[\]\^`\{\|\}~]))+(\?*|\*?))|[\*\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6})$
+ ^(cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#\$%&'\(\)\+,/:;<=>@\[\]\^`\{\|\}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#\$%&'\(\)\+,/:;<=>@\[\]\^`\{\|\}~]))+(\?*|\*?))|[\*\-])){4})|([c][pP][eE]:\/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6})$"", "csaf_2_0_strict: must match pattern "^(cpe:2\.3:[aho\*\-](:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#\$%&'\(\)\+,/:;<=>@\[\]\^`\{\|\}~]))+(\?*|\*?))|[\*\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\*\-]))(:(((\?*|\*?)([a-zA-Z0-9\-\._]|(\\[\\\*\?!"#\$%&'\(\)\+,/:;<=>@\[\]\^`\{\|\}~]))+(\?*|\*?))|[\*\-])){4})|([c][pP][eE]:\/[AHOaho]?(:[A-Za-z0-9\._\-~%]*){0,6})$

image

@tschmidtb51
Copy link
Contributor

Hmm, interesting... I have to investigate that... That case did not occur in the CPE dictionary...

@ctron
Copy link
Author

ctron commented Feb 21, 2024

Maybe it depends on the regular expression implementation. But escaping the / seemed reasonable to me.

@tschmidtb51
Copy link
Contributor

I was just wondering: Is that a problem of the standard (as the pattern does not escape any /) or just an issue of the implementation?

@ctron
Copy link
Author

ctron commented Feb 21, 2024

I am not sure where the csaf-validator-lib gets the regexp from.

@tschmidtb51
Copy link
Contributor

tschmidtb51 commented Feb 21, 2024

Note to self: According to the test script the JSON schema pattern seems correct and validates also cpe:/o:redhat:enterprise_linux:8::fastdatapath 😌

@tschmidtb51
Copy link
Contributor

tschmidtb51 commented Feb 21, 2024

It might actually be implementation specific as I don't get the error when using Secvisogram. So, I wonder whether this repo is the correct place to fix it. I guess that needs a bit further investigation.

@ctron
Copy link
Author

ctron commented Feb 21, 2024

Ok, let me try dig a bit into that and find out more.

@tschmidtb51 tschmidtb51 added the investigation needed Something needs to be investigated or researched label Feb 21, 2024
@tschmidtb51
Copy link
Contributor

Ok, let me try dig a bit into that and find out more.

Thank you.

The key question for me would be: Is it allowed to omit the escaping for / in JSON. If not => CSAF standard must fix that. If yes, probably an implementation issue (as it works with nodejs).

@ctron
Copy link
Author

ctron commented Feb 21, 2024

I think this is an issue with the regexp itself. JSON just escapes this. I found this in the schema.js file, which seems to carry the schema as a JS (vs JSON):

pattern:
                '^(cpe:2\\.3:[aho\\*\\-](:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!"#\\$%&\'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){5}(:(([a-zA-Z]{2,3}(-([a-zA-Z]{2}|[0-9]{3}))?)|[\\*\\-]))(:(((\\?*|\\*?)([a-zA-Z0-9\\-\\._]|(\\\\[\\\\\\*\\?!"#\\$%&\'\\(\\)\\+,/:;<=>@\\[\\]\\^`\\{\\|\\}~]))+(\\?*|\\*?))|[\\*\\-])){4})|([c][pP][eE]:/[AHOaho]?(:[A-Za-z0-9\\._\\-~%]*){0,6})$',

That is missing the \. Now putting this into the browsers console:

image

It accepts this, but also corrects it.

@ctron
Copy link
Author

ctron commented Feb 21, 2024

Ok, so there's definitely something wrong with the whole regexp stuff, playing with that same regexp on the console of deno (works the same way with bun and node):

image

It accepts XXcpe:/o:redhat:rhel_aus:7.6::server as a valid CPE.

@ctron
Copy link
Author

ctron commented Feb 21, 2024

Which is btw the same behavior I see changing a CPE in the tests of csaf-validator-lib.

@ctron
Copy link
Author

ctron commented Feb 21, 2024

Regexps still give me a headache, still I think I understand why that is:

image

The regexp is kind of like: ^(a)|(b)$ … where it should be: ^(a|b)$.

Still, that's an additional problem, and not the one that I run into.

@tschmidtb51
Copy link
Contributor

@ctron Could you please confirm: You are using that this library via deno?

@ctron
Copy link
Author

ctron commented Feb 26, 2024

@ctron Could you please confirm: You are using that this library via deno?

Embedding this (the problem with the missing slashes) comes from an embedded deno use case. However, there's a second component to it: rollup. Testing with bun, node, deno in general leads to the same results. While I can't really reproduce it so far, my gut feeling is that this is being caused for using rollup to create the file I embed in the Rust code.

Nevertheless, the regexp still allows for values such as ABCcpe:/… on all environments, simpley as the regexp is wrong.

@tschmidtb51
Copy link
Contributor

Nevertheless, the regexp still allows for values such as ABCcpe:/… on all environments, simpley as the regexp is wrong.

True and accepted. This is tracked in oasis-tcs/csaf#693 It's up to the TC to decide, what the solution will be, please stay tuned.

@tschmidtb51
Copy link
Contributor

After reading the spec, I'm still confused what the correct answer regarding the / escaping might be, so I opened the discussion to the JSON spec authors: https://github.com/orgs/json-schema-org/discussions/684
Feel free to upvote.

@tschmidtb51
Copy link
Contributor

Nevertheless, the regexp still allows for values such as ABCcpe:/… on all environments, simpley as the regexp is wrong.

True and accepted. This is tracked in oasis-tcs/csaf#693 It's up to the TC to decide, what the solution will be, please stay tuned.

The change is now part of the current Editor Revision for CSAF 2.1.

@tschmidtb51
Copy link
Contributor

After reading the spec, I'm still confused what the correct answer regarding the / escaping might be, so I opened the discussion to the JSON spec authors: https://github.com/orgs/json-schema-org/discussions/684 Feel free to upvote.

BTW: I also started to investigate different implementations at: https://github.com/tschmidtb51/JSON-schema-pattern
Feel free to contribute.

The Node one is more or less what I would expect...

@tschmidtb51
Copy link
Contributor

I still think that the / issue is not our bug - but the TC decided to quote it in CSAF 2.1 and allow backports without loosing conformance.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
investigation needed Something needs to be investigated or researched
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants