Skip to content

Commit

Permalink
feat(VulnerableCode): Fixup wrongly escaped URLs
Browse files Browse the repository at this point in the history
Apparently, VulnerableCode sometimes returns URLs that use blackslash
escaping instead of percent escaping, see [1]. Work around that issue
until it is fixed upstream.

Resolves #7364.

[1]: aboutcode-org/vulnerablecode#1173

Signed-off-by: Sebastian Schuberth <sschuberth@gmail.com>
  • Loading branch information
sschuberth committed Oct 29, 2023
1 parent 3f835b3 commit 55c0c64
Show file tree
Hide file tree
Showing 2 changed files with 20 additions and 1 deletion.
10 changes: 9 additions & 1 deletion advisor/src/main/kotlin/advisors/VulnerableCode.kt
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,7 @@ import org.ossreviewtoolkit.model.utils.toPurl
import org.ossreviewtoolkit.utils.common.Options
import org.ossreviewtoolkit.utils.common.collectMessages
import org.ossreviewtoolkit.utils.common.enumSetOf
import org.ossreviewtoolkit.utils.common.percentEncode
import org.ossreviewtoolkit.utils.ort.OkHttpClientHelper

/**
Expand Down Expand Up @@ -140,7 +141,7 @@ class VulnerableCode(name: String, config: VulnerableCodeConfiguration) : Advice
issues: MutableList<Issue>
): List<VulnerabilityReference> =
runCatching {
val sourceUri = URI(url)
val sourceUri = URI(url.fixupUrlEscaping())
if (scores.isEmpty()) return listOf(VulnerabilityReference(sourceUri, null, null))
return scores.map {
// VulnerableCode returns MODERATE instead of MEDIUM in case of cvssv3.1_qr, see:
Expand All @@ -167,3 +168,10 @@ class VulnerableCode(name: String, config: VulnerableCodeConfiguration) : Advice
return aliases.firstOrNull { it.startsWith("cve", ignoreCase = true) } ?: aliases.first()
}
}

private val BACKSLASH_ESCAPE_REGEX = Regex("\\\\\\\\(.)")

internal fun String.fixupUrlEscaping(): String =
replace(BACKSLASH_ESCAPE_REGEX) {
it.groupValues[1].percentEncode()
}
11 changes: 11 additions & 0 deletions advisor/src/test/kotlin/advisors/VulnerableCodeTest.kt
Original file line number Diff line number Diff line change
Expand Up @@ -276,6 +276,17 @@ class VulnerableCodeTest : WordSpec({
)
}
}

"fixupUrlEscaping()" should {
"fixup a wrongly escaped ampersand" {
"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true" +
"&query=cpe:2.3:a:oracle:retail_category_management_planning_" +
"\\\\&_optimization:16.0.3:*:*:*:*:*:*:*".fixupUrlEscaping() shouldBe
"https://nvd.nist.gov/vuln/search/results?adv_search=true&isCpeNameSearch=true" +
"&query=cpe:2.3:a:oracle:retail_category_management_planning_" +
"%26_optimization:16.0.3:*:*:*:*:*:*:*"
}
}
})

private const val ADVISOR_NAME = "VulnerableCodeTestAdvisor"
Expand Down

0 comments on commit 55c0c64

Please sign in to comment.