Closed adityasaky closed 8 months ago
After a discussion with @rdimitrov, @trishankatdatadog, and @mnm678, this is not an issue but likely deserving of some further clarification in the docs and in the TUF spec. See: https://theupdateframework.github.io/specification/latest/index.html#file-formats-targets for a description of how patterns work.
I'm going to submit some updated text to the specification, but this issue can be closed. :)
IOW, the current behaviour is intended to be a feature not a bug in TUF 🙂
The implementation for this helper is here: https://github.com/theupdateframework/go-tuf/blob/9d57731720841af71c5f70d590e531136e0b025d/metadata/metadata.go#L535-L554
If I'm reading this right, this helper is responsible for identifying if a delegation pattern matches a target path. However, it incorrectly says a pattern like
foo/*
does not matchfoo/bar/foobar.txt
. The same pattern does correctly matchfoo/foobar.txt
. This is because both the pattern and the target path are split into their components using the separator, and if they don't have the same number of components, the helper returns false.See: https://go.dev/play/p/6Mswjm_fM-4