You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The spec is a little redundant, but here are the important things it says about qualifier keys:
"must be composed only of ASCII letters and numbers, '.', '-' and '_' (period, dash and underscore)"
"cannot start with a number"
"case insensitive"
packageurl-js implements this using the expression /^[a-z]+$/i.test(key) || /[\.-_]/.test(key) (negated and simplified to make this easier to describe).
The regular expression (?i)^[a-z]+$ matches for any string which is entirely letters. We'll call this subexpression allLetters.
The regular expression [\.-_] matches any ASCII character value between '.' and '_', which includes '/', numbers, '=', etc but doesn't include '-'. This seems like it was meant to be [\.\-_], which matches the three characters that are called out in the spec. We'll call this corrected subexpression containsAllowedSpecial.
Substituting in those names, we get the expression allLetters || containsAllowedSpecial for determining if a qualifier key is valid. Even with the corrected regular expression, this does not match the spec. a1 is invalid because it contains a number, but it should be valid. _! is valid because it contains '_', but it should be invalid because '!' is not an allowed character.
I found this because with the incorrect regular expression, x- prefixed qualifiers are incorrectly considered to be invalid.
The text was updated successfully, but these errors were encountered:
The spec is a little redundant, but here are the important things it says about qualifier keys:
packageurl-js implements this using the expression
/^[a-z]+$/i.test(key) || /[\.-_]/.test(key)
(negated and simplified to make this easier to describe).(?i)^[a-z]+$
matches for any string which is entirely letters. We'll call this subexpressionallLetters
.[\.-_]
matches any ASCII character value between '.' and '_', which includes '/', numbers, '=', etc but doesn't include '-'. This seems like it was meant to be[\.\-_]
, which matches the three characters that are called out in the spec. We'll call this corrected subexpressioncontainsAllowedSpecial
.Substituting in those names, we get the expression
allLetters || containsAllowedSpecial
for determining if a qualifier key is valid. Even with the corrected regular expression, this does not match the spec.a1
is invalid because it contains a number, but it should be valid._!
is valid because it contains '_', but it should be invalid because '!' is not an allowed character.I found this because with the incorrect regular expression,
x-
prefixed qualifiers are incorrectly considered to be invalid.The text was updated successfully, but these errors were encountered: