Skip to content

ngclient: consistently encode URLs #1634

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
jku opened this issue Oct 25, 2021 · 3 comments
Closed

ngclient: consistently encode URLs #1634

jku opened this issue Oct 25, 2021 · 3 comments
Assignees
@kairoaraujo
Labels
1.0.0 blockers To be addressed before 1.0.0 release backlog Issues to address with priority for current development goals ngclient
Milestone
Sprint 15

Comments

@jku
Copy link
Member

jku commented Oct 25, 2021
edited
Loading

Currently we do not explicitly URL-encode rolenames (or target paths) when we use them in URLs. Let's review this code and make a conscious decisions about this.

My original thinking on this was that it's a specification issue: we can't just start encoding e.g. rolenames if the spec does not say we should... but thinking on it further I've started to believe that

  • spec should specify how URLS are formed and what must be URL encoded and when
  • but we can be more explicit in ngclient before that: it should not break anything that currently works

The latter point is true because requests (the http library) already encodes everything that would be illegal in a URL behind our backs: so emojis, non-ascii characters, most symbols are already being encoded, just not explicitly by us. Only some specific symbols that may be valid in URLs are maybe not encoded (examples: /, #, ?, &).

My current thinking is:

  1. we should not require rolenames to be encoded: they are just strings
  2. we should encode rolenames before using them in URLs. This should not break any reasonable rolename and is going to be safer

I am not as sure about target paths: they are URL-paths and we could just require them to be URL-encoded already (and maybe even validate that they are encoded?). At the very least we can't encode "/" in target paths because it's valid in a path: this leads me to think we should just require the target path to be correctly encoded already? An additional wrinkle for target paths is that the spec requires us to actually modify the path in quite tricky ways for consistent targets...
@jku jku added the ngclient label Oct 25, 2021
@sechkova sechkova added the backlog Issues to address with priority for current development goals label Oct 27, 2021
@sechkova sechkova added this to the Sprint 14 milestone Dec 8, 2021
@jku jku mentioned this issue Dec 8, 2021
Closed
@kairoaraujo
Copy link
Contributor

I want to work on this issue.

kairoaraujo pushed a commit to kairoaraujo/python-tuf that referenced this issue Jan 6, 2022
explicit encode role names
02d7415 
This commit explicitly encodes role names.
Also, a slight change in the RepositorySimulator will align
with the tests.

This commit partially covers issue theupdateframework#1634

Signed-off-by: Kairo de Araujo <[email protected]>
@kairoaraujo kairoaraujo mentioned this issue Jan 6, 2022
Merged
3 tasks
@jku jku added the 1.0.0 blockers To be addressed before 1.0.0 release label Jan 12, 2022
@jku jku modified the milestones: Sprint 14, Sprint 15 Jan 12, 2022
kairoaraujo pushed a commit to kairoaraujo/python-tuf that referenced this issue Jan 13, 2022
explicit encode role names
6cb8328 
This commit explicitly encodes role names. Mostly this encoding is already
happening in ``requests`` for what is not a URL.
The "/" in a role name will now be encoded.

Also, a slight change in the RepositorySimulator will align with the tests.

This commit partially covers issue theupdateframework#1634

Signed-off-by: Kairo de Araujo <[email protected]>
kairoaraujo pushed a commit to kairoaraujo/python-tuf that referenced this issue Jan 13, 2022
explicit encode role names
6016a8d 
This commit explicitly encodes role names. Mostly this encoding is already
happening in ``requests`` for what is not a URL.
The "/" in a role name will now be encoded.

Also, a slight change in the RepositorySimulator will align with the tests.

This commit partially covers issue theupdateframework#1634

Signed-off-by: Kairo de Araujo <[email protected]>
kairoaraujo pushed a commit to kairoaraujo/python-tuf that referenced this issue Jan 17, 2022
explicit encode role names
9c33cd3 
This commit explicitly encodes role names. Mostly this encoding is already
happening in ``requests`` for what is not a URL.
The "/" in a role name will now be encoded.

Also, a slight change in the RepositorySimulator will align with the tests.

This commit partially covers issue theupdateframework#1634

Signed-off-by: Kairo de Araujo <[email protected]>
kairoaraujo pushed a commit to kairoaraujo/python-tuf that referenced this issue Jan 17, 2022
explicit encode role names
aa6d28f 
This commit explicitly encodes role names. Mostly this encoding is already
happening in ``requests`` for what is not a URL.
The "/" in a role name will now be encoded.

Also, a slight change in the RepositorySimulator will align with the tests.

This commit partially covers issue theupdateframework#1634

Signed-off-by: Kairo de Araujo <[email protected]>
MVrachev pushed a commit to MVrachev/tuf that referenced this issue Jan 17, 2022
@MVrachev
explicit encode role names
6ac96e7 
This commit explicitly encodes role names. Mostly this encoding is already
happening in ``requests`` for what is not a URL.
The "/" in a role name will now be encoded.

Also, a slight change in the RepositorySimulator will align with the tests.

This commit partially covers issue theupdateframework#1634

Signed-off-by: Kairo de Araujo <[email protected]>
MVrachev pushed a commit to MVrachev/tuf that referenced this issue Jan 18, 2022
@MVrachev
explicit encode role names
310e550 
This commit explicitly encodes role names. Mostly this encoding is already
happening in ``requests`` for what is not a URL.
The "/" in a role name will now be encoded.

Also, a slight change in the RepositorySimulator will align with the tests.

This commit partially covers issue theupdateframework#1634

Signed-off-by: Kairo de Araujo <[email protected]>
@kairoaraujo
Copy link
Contributor

Should we close this one? 🤔 or at least remove the 1.0.0 blocker tag?

@jku
Copy link
Member Author

jku commented Jan 25, 2022

I think it's done:

  • rolenames in URLs are now handled explicitly (practical results are 99.9% same as before but now the encoding is visible and testable)
  • target urls do use hashes and targetpath (that both come from remote) but there isn't really anything we can do -- I suppose we could test that they are valid url parts or look for constructs like "../" in them... but I don't see major benefits from doing so.

Closing.

@jku jku closed this as completed Jan 25, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kairoaraujo kairoaraujo

Labels
1.0.0 blockers To be addressed before 1.0.0 release backlog Issues to address with priority for current development goals ngclient
Projects
None yet
Milestone
Sprint 15
Development

No branches or pull requests
3 participants
@jku @kairoaraujo @sechkova