search

package-url / packageurl-js

JavaScript implementation of the package url spec
https://www.npmjs.com/package/packageurl-js
MIT License
26 stars 21 forks source link

purl containing a query parameter repository_url with own (encoded) query parameters not handled correctly? #43

Closed Festus1248 closed 3 months ago

Festus1248 commented 1 year ago

Hi there,

...maybe this is just misunderstanding from my side, but when I create a purl object for a purl like this pkg:oci/azure-cli@sha256:9df8ac260650dbae684ab7e47916d4def942582b491d1fe0593b22eb1cac235b?repository_url=index.docker.io%2Fbitnami%2Fazure-cli\u0026arch=amd64 it seems that the (encoded) query parameter from the query parameter repository_url is handled as separate query parameter of the purl and not of the repository_url. The result is:

PackageURL {
      type: 'oci',
      name: 'azure-cli',
      namespace: null,
      version: 'sha256:9df8ac260650dbae684ab7e47916d4def942582b491d1fe0593b22eb1cac235b',
      qualifiers: {
        repository_url: 'index.docker.io/bitnami/azure-cli',
        arch: 'amd64'
      },
      subpath: null
    }

My expectation would have been:

PackageURL {
      type: 'oci',
      name: 'azure-cli',
      namespace: null,
      version: 'sha256:9df8ac260650dbae684ab7e47916d4def942582b491d1fe0593b22eb1cac235b',
      qualifiers: {
        repository_url: 'index.docker.io/bitnami/azure-cli&arch=amd64'
      },
      subpath: null
    }

Is my expectation wrong or is this a bug?

Festus1248 commented 1 year ago

Hi there,

...small correction from my side: The example I provided above is - in reference to the purl specification not a correct purl, since the value of the qualifier repository_url is not percent encoded.

But if you try with a correct purl like pkg:oci/azure-cli@sha256:9df8ac260650dbae684ab7e47916d4def942582b491d1fe0593b22eb1cac235b?repository_url=index.docker.io%2Fbitnam%2Fazure-cli%26arch%3Damd64 and you transform this into a packageURL Object and back to string (with toString() ), then the result differs from the input. See the following test, which fails:

`import { PackageURL } from 'packageurl-js';

const purl = 'pkg:oci/azure-cli@sha256:9df8ac260650dbae684ab7e47916d4def942582b491d1fe0593b22eb1cac235b?repository_url=index.docker.io%2Fbitnam%2Fazure-cli%26arch%3Damd64';

expect(PackageURL.fromString(purl).toString()).toBe(purl); ` After the toString() method, the qualifier value contains '/', which is not percent-encoded.

Sorry for the confusion!

jdalton commented 6 months ago

Related to https://github.com/package-url/purl-spec/issues/39

jdalton commented 3 months ago

This is handled in https://github.com/package-url/packageurl-js/pull/73 by using URLSearchParams to encode and then turning + into %20 for better portability. I sided with the Rust implementation.

Also leveraging standard URLSearchParams. Deferring to standard encoders like URLSearchParams and encodeURIComponent for base encoding and then applying tweaks allows for less chances of mistakes (I trust standard implementations over myself).

jdalton commented 3 months ago

Closed by #73