Conversation
The conda and docker purlExists tests make real HTTP requests to external registries. The conda test was timing out on CI at the default 10s limit. Increase timeout to 30s for both network-calling tests.
…alidators
Add containsInjectionCharacters() checks to all 28 per-type validators,
rejecting shell/URL metacharacters (|, &, ;, `, $, <, >, (, ), {, }, #,
\, space, tab, newline, CR) in name and namespace components.
Previously only vscode-extension had these checks. Now every ecosystem
type validates against injection characters while respecting the purl
spec (which allows special characters in the generic type via
percent-encoding — so checks are per-type, not in the base validator).
- Enhanced 19 existing validators with injection checks
- Added new validate functions to 6 types (docker, github, gitlab,
bitbucket, hex, pypi) that previously only had normalize
- Registered all new validators in purl-type.ts
- Cocoapods: replaced \s regex with containsInjectionCharacters
(subsumes whitespace + adds shell metachar detection)
- npm/pub: already covered by URL-encoding and [a-z0-9_] checks
- Version strings intentionally NOT checked (Python epoch ! and
Maven space/& are legitimate)
- 47 new tests covering all types
…add PurlInjectionError
Architecture improvements:
- Default validator in purl-type.ts now runs injection checks for all
registered types — security is opt-out, not opt-in. Unregistered types
(used by purl spec tests) bypass the default, preserving spec compliance.
- New shared validateNoInjectionByType() helper in validate.ts eliminates
6-line injection check boilerplate from 26 per-type validators.
- Per-type validators now only contain ecosystem-specific rules.
Hardened scanner (containsInjectionCharacters):
- Added single quote (') and double quote (") detection — prevents
quote-breaking attacks in shell, SQL, and URL contexts
- Added full C0 control character range (0x00-0x1f) — catches ESC
(terminal escape sequences), BEL, vertical tab, form feed, and all
other control chars used for log/terminal injection
- Added DEL (0x7f) detection — control character used in terminal attacks
- Extracted isInjectionCharCode() for the core detection logic
- Added findInjectionCharCode() returning the offending char code
- Added formatInjectionChar() for human-readable error labels
New PurlInjectionError class:
- Subclass of PurlError — catchable as either type for flexible handling
- Exposes charCode, component, and purlType properties for programmatic
inspection by security tooling
- Error messages include the specific character found, e.g.:
'maven "namespace" component contains injection character ";" (0x3b)'
- Control characters formatted as hex: '0x1b' (not the raw ESC byte)
…ests - Freeze PurlInjectionError instances (ObjectFreeze in constructor) and prototype — prevents property tampering on caught error objects - Replace raw String.fromCharCode, Number.prototype.toString, and String.prototype.padStart with captured primordials (StringFromCharCode, NumberPrototypeToString, StringPrototypePadStart) - Add unit tests verifying frozen instance, frozen prototype, and rejection of property writes/additions on error objects
- validate.ts: Array.isArray → ArrayIsArray, Object.keys → ObjectKeys - normalize.ts: Object.entries → ObjectEntries - vscode-extension.ts: JSON.stringify → JSONStringify - gem.ts: Array.isArray → ArrayIsArray - npm.ts: new Set() → new SetCtor() (2 instances) - primordials.ts: add NumberPrototypeToString, StringFromCharCode, StringPrototypePadStart exports
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
containsInjectionCharacters()checks to all 28 per-type validators, rejecting shell/URL metacharacters (|,&,;,`,$,<,>,(,),{,},#,\, space, tab, newline, CR) in name and namespace componentstypevia percent-encoding!, Maven space/&are legitimate)Changes
purl-type.ts\sregex withcontainsInjectionCharacters(subsumes whitespace + adds shell metachar detection)[a-z0-9_]checks respectivelyTest plan
pnpm run check --allpassespnpm run fix --allpasses1.0.0 Finalversion with space still works~'!()*still accepted🤖 Generated with Claude Code