Don't require encoding for namespaced packages about ossgadget HOT 5 CLOSED

@scovetta @gfs You might want to be careful before doing this. As I mentioned on #418, the Package URL spec expects @ to be percent-encoded in package names in order to avoid parsing ambiguity, since @ indicates that characters to the right should be interpreted as a version string. The implications of accepting package URLs that deviate from the spec might be difficult to predict.

Maybe instead we could improve the error messaging? E.g. if a given Package URL fails to parse, we could check for cases like this (e.g. the package URL looks like an npm package, with @ in the namespace position) and print a more helpful error message explaining that namespace and `name components of package URLs need to be percent-encoded?

from ossgadget.

I think the reporting user makes a fair point that even if that is what the spec says it's not very intuitive.

Particularly for handling perhaps manually typed input on a command line if we can reasonably detect this case where the @ for the namespace needs to be encoded why don't we just automatically do it on the users behalf?

from ossgadget.

Actually, I think we deviate from the spec too a bit - in at least some cases, we require the slash separator between namespace and name to be encoded. This means we get namespace=[blank] and name=foo%2fbar. I don't recall why this was needed.

// FAILS
oss-download pkg:npm/%40microsoft/fast-web-utilities

// SUCCESS
oss-download pkg:npm/%40microsoft%2ffast-web-utilities

According to the spec, that / separator between namespace and name must not be encoded.

from ossgadget.

Particularly for handling perhaps manually typed input on a command line if we can reasonably detect this case where the @ for the namespace needs to be encoded why don't we just automatically do it on the users behalf?

@gfs That's not an unreasonable point. I can't think of any way that might go wrong - but that said, the types of subtle bugs that can result from tolerating deviations from specs tend to be hard to predict.

If you go forward with that approach, would you mind keeping that tolerant parsing behavior at the CLI layer? For Terrapin (which consumes the Shared and oss-find-squats-lib libraries), strict compliance with spec is part of how we make sure subtle bugs in our system get surfaced while handling millions of distinct package versions. (I think those libraries primarly work with already-parsed Package URL objects so this point might be a non-issue - but I thought I would mention it just in case any part(s) of those libraries accepts package URLs as strings).

from ossgadget.

from ossgadget.