Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

URL in vulnerability reference contains illegal character #1173

Open
oheger-bosch opened this issue Apr 5, 2023 · 6 comments
Open

URL in vulnerability reference contains illegal character #1173

oheger-bosch opened this issue Apr 5, 2023 · 6 comments

Comments

@oheger-bosch
Copy link

We encountered a case in which this URL was returned in a vulnerability reference:
https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:siebel_engineering_-_installer_\&_deployment::::::::

ORT converts these references to the Java URI type, which fails in this case due to an invalid character.

Not sure what would be the best way to handle such issues. Should VulnerableCode perform some validation on URLs? Or should ORT better not rely on those strings to be valid URLs?

@TG1999
Copy link
Contributor

TG1999 commented Apr 5, 2023

@oheger-bosch can you please point me to the CVE for this reference, so I can check the root cause of the issue

@oheger-bosch
Copy link
Author

Hi @TG1999, this is the affected CVE: CVE-2019-17531

@sschuberth
Copy link

sschuberth commented Apr 5, 2023

which fails in this case due to an invalid character.

Could you help us by stating which character is invalid exactly? Is it the \-escaped ampersand? (It's a bit hard to see due to GitHub's own rendering; could you maybe post the URL inside a code block?)

@oheger-bosch
Copy link
Author

Yes, I think it is the backslash that causes the trouble.

sschuberth added a commit to oss-review-toolkit/ort that referenced this issue Oct 29, 2023
Apparently, VulnerableCode sometimes returns URLs that use blackslash
escaping instead of percent escaping, see [1]. Work around that issue
until it is fixed upstream.

Resolves #7364.

[1]: aboutcode-org/vulnerablecode#1173

Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
sschuberth added a commit to oss-review-toolkit/ort that referenced this issue Oct 29, 2023
Apparently, VulnerableCode sometimes returns URLs that use blackslash
escaping instead of percent escaping, see [1]. Work around that issue
until it is fixed upstream.

Resolves #7364.

[1]: aboutcode-org/vulnerablecode#1173

Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
@sschuberth
Copy link

BTW, there's more wrongly escaped URLs being returned by VulnerableCode, see oss-review-toolkit/ort#8040. So

https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apple:swiftnio_http\/2:*:*:*:*:*:swift:*:*

should be

https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:apple:swiftnio_http/2:*:*:*:*:*:swift:*:*

@sschuberth
Copy link

sschuberth commented Feb 2, 2024

Yet another case

https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:hyperion_bi\+:*:*:*:*:*:*:*:*

should be

https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true&query=cpe:2.3:a:oracle:hyperion_bi%2B:*:*:*:*:*:*:*:*

sschuberth added a commit to oss-review-toolkit/ort that referenced this issue Feb 2, 2024
See [1].

[1]: aboutcode-org/vulnerablecode#1173

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
sschuberth added a commit to oss-review-toolkit/ort that referenced this issue Feb 2, 2024
See [1].

[1]: aboutcode-org/vulnerablecode#1173

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
sschuberth added a commit to oss-review-toolkit/ort that referenced this issue Feb 2, 2024
See [1].

[1]: aboutcode-org/vulnerablecode#1173

Signed-off-by: Sebastian Schuberth <sebastian@doubleopen.org>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

3 participants