Restrict characters in URLs of packages and platforms - Githubissues

roc-lang / roc

A fast, friendly, functional language.

https://roc-lang.org

Universal Permissive License v1.0

4.46k stars 313 forks source link

Restrict characters in URLs of packages and platforms #6962

Open Anton-4 opened 3 months ago

Anton-4 commented 3 months ago

The characters in URLs of dependencies (like below) should be restricted according to security best practices.

app [main] {
    cli: platform "https://github.com/roc-lang/basic-cli/releases/download/0.12.0/Lb8EgiejTUzbggO2HVVuPJFkwvvsfW6LojkLR20kTVE.tar.br",
    json: "https://github.com/lukewilliamboswell/roc-json/releases/download/0.8.0/BlWJJh_ouV7c_IwvecYpgpR3jOCzVO-oyk-7ISdl2S4.tar.br",
}

[ ] Research all characters that we should not allow in these dependency strings. Cargo (from Rust) also allows URLs in their Cargo.toml to specify dependencies, I recommend taking a look at their defensive approach. We should also not allow any substrings that are confusingly similar to roc-lang, github, lukewilliamboswell, ...
[ ] Make the parser produce an error when it sees any of these characters in a dependency string,

luigimagdamit commented 1 month ago

Hi there, I'd love to be able to take a look at this if no one's shown interest yet.