You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Moving this from a code review comment to a new issue because I decided it made more sense to merge the giant regex as an intermediate solution.
I love a ridiculous regex, but I think this is going to be hard to maintain and
it's almost certainly going to be vulnerable to regex denial of service.
Options:
does anyone have a library for validating CPE strings we could leverage?
In lieu of this, can we split on : and evaluate each piece separately with an explanation of what we're looking for in the comments?
In lieu of this, can we split on : and only evaluate the parts we're going to use later? (e.g. vendor, product, version = cpe[2], cpe[3], cpe[4])
In lieu of this, maybe we should validate and sanitize only vendor, product, version after the existing split?
I'm leaning towards the last one as potentially the right solution since that would allow us to have some util functions for sanitize_vendor(), sanitize_product(), sanitize_version() that we could re-use elsewhere in purl and triage work.
Moving this from a code review comment to a new issue because I decided it made more sense to merge the giant regex as an intermediate solution.
Originally posted by @terriko in #4014 (comment)
The text was updated successfully, but these errors were encountered: