Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Stricter validation on non-printable characters #978

Merged
merged 1 commit into from
Dec 2, 2024
+15 −3
Merged

Stricter validation on non-printable characters #978

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions docs/releases/4.5.0.rst
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -80,3 +80,4 @@ Other changes
was added, to force an authoritative database into non-strict mode.
As it's name notes, this disables many checks and all referential integrity
and is therefore strongly discouraged.
* Most non-printable characters are now stripped from all RPSL attribute values.
14 changes: 12 additions & 2 deletions irrd/rpsl/fields.py
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,6 @@
import datetime
import re
import sys
from typing import Optional
from urllib.parse import urlparse

Expand All @@ -18,7 +19,7 @@

# This regex is not designed to catch every possible invalid variation,
# but rather meant to protect against unintentional mistakes.
# # Validate local-part @ domain | or IPv4 address | or IPv6
# # Validate local-part @ domain | or IPv4 address | or IPv6
re_email = re.compile(
r"^[A-Z0-9$!#%&\"*+\/=?^_`{|}~\\.-]+@(([A-Z0-9\\.-]+)|(\[\d+\.\d+\.\d+\.\d+\])|(\[[A-f\d:]+\]))$",
re.IGNORECASE,
Expand Down Expand Up @@ -54,6 +55,15 @@
]
reserved_prefixes = ["AS-", "RS-", "RTRS-", "FLTR-", "PRNG-"]

ALLOWED_CONTROL_CHARS = {"\n", "\r", "\t", "\u200d"}
NOPRINT_TRANS_TABLE = str.maketrans(
{
i: None
for i in range(0, sys.maxunicode + 1)
if not chr(i).isprintable() and chr(i) not in ALLOWED_CONTROL_CHARS
}
)

"""
Fields for RPSL data.

Expand Down Expand Up @@ -102,7 +112,7 @@ def __init__(
def parse(
self, value: str, messages: RPSLParserMessages, strict_validation=True
) -> Optional[RPSLFieldParseResult]:
return RPSLFieldParseResult(value)
return RPSLFieldParseResult(value.translate(NOPRINT_TRANS_TABLE))


class RPSLFieldListMixin:
Expand Down
3 changes: 2 additions & 1 deletion irrd/rpsl/tests/test_fields.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -51,7 +51,8 @@ def assert_validation_err(expected_errors, callable, *args, **kwargs):
def test_rpsl_text_field():
field = RPSLTextField()
messages = RPSLParserMessages()
assert field.parse("AS-FOO$", messages).value, "AS-FOO$"
# U+200F is RTL marker, U+200B zero width space
assert field.parse("AS-FOO🎉🏳️‍🌈\u200f\u200b\x07$ \t", messages).value == "AS-FOO🎉🏳️‍🌈$ \t"
assert not messages.errors()


Expand Down