packageurl-js icon indicating copy to clipboard operation
packageurl-js copied to clipboard

Published 20 hours ago verified publisher icon package-url

purl containing a query parameter repository_url with own (encoded) query parameters not handled correctly?

Open Festus1248 opened this issue 2 years ago • 2 comments

Hi there,

...maybe this is just misunderstanding from my side, but when I create a purl object for a purl like this pkg:oci/azure-cli@sha256:9df8ac260650dbae684ab7e47916d4def942582b491d1fe0593b22eb1cac235b?repository_url=index.docker.io%2Fbitnami%2Fazure-cli\u0026arch=amd64 it seems that the (encoded) query parameter from the query parameter repository_url is handled as separate query parameter of the purl and not of the repository_url. The result is:

PackageURL {
      type: 'oci',
      name: 'azure-cli',
      namespace: null,
      version: 'sha256:9df8ac260650dbae684ab7e47916d4def942582b491d1fe0593b22eb1cac235b',
      qualifiers: {
        repository_url: 'index.docker.io/bitnami/azure-cli',
        arch: 'amd64'
      },
      subpath: null
    }

My expectation would have been:

PackageURL {
      type: 'oci',
      name: 'azure-cli',
      namespace: null,
      version: 'sha256:9df8ac260650dbae684ab7e47916d4def942582b491d1fe0593b22eb1cac235b',
      qualifiers: {
        repository_url: 'index.docker.io/bitnami/azure-cli&arch=amd64'
      },
      subpath: null
    }

Is my expectation wrong or is this a bug?

Festus1248 avatar Apr 14 '23 13:04 Festus1248

Hi there,

...small correction from my side: The example I provided above is - in reference to the purl specification not a correct purl, since the value of the qualifier repository_url is not percent encoded.

But if you try with a correct purl like pkg:oci/azure-cli@sha256:9df8ac260650dbae684ab7e47916d4def942582b491d1fe0593b22eb1cac235b?repository_url=index.docker.io%2Fbitnam%2Fazure-cli%26arch%3Damd64 and you transform this into a packageURL Object and back to string (with toString() ), then the result differs from the input. See the following test, which fails:

`import { PackageURL } from 'packageurl-js';

const purl = 'pkg:oci/azure-cli@sha256:9df8ac260650dbae684ab7e47916d4def942582b491d1fe0593b22eb1cac235b?repository_url=index.docker.io%2Fbitnam%2Fazure-cli%26arch%3Damd64';

expect(PackageURL.fromString(purl).toString()).toBe(purl); ` After the toString() method, the qualifier value contains '/', which is not percent-encoded.

Sorry for the confusion!

Festus1248 avatar Apr 17 '23 13:04 Festus1248

Related to https://github.com/package-url/purl-spec/issues/39

jdalton avatar May 17 '24 21:05 jdalton

This is handled in https://github.com/package-url/packageurl-js/pull/73 by using URLSearchParams to encode and then turning + into %20 for better portability. I sided with the Rust implementation.

Also leveraging standard URLSearchParams. Deferring to standard encoders like URLSearchParams and encodeURIComponent for base encoding and then applying tweaks allows for less chances of mistakes (I trust standard implementations over myself).

jdalton avatar Aug 14 '24 21:08 jdalton

Closed by #73

jdalton avatar Aug 16 '24 22:08 jdalton