Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.
And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.
Metadata API: Delegation role names validation
See original GitHub issueDescription of issue or feature request:
Delegation role names are not restricted in any way in the spec, but they are targets metadata role names.
They could be ".", "../../filename" or 1.role.
The problem is that at some point those delegation role names are used when constructing an URL used
to download the delegated target metadata file:
https://github.com/theupdateframework/tuf/blob/e9106b59cdb5bbfb4260c5ffc3144e79f8f9596a/tuf/ngclient/updater.py#L287 which is likely to be a problem.
Current behavior: No validation is used for Delegation role names.
Expected behavior:
Escape special symbols like . or \.
Issue Analytics
- State:
- Created 2 years ago
- Comments:15 (11 by maintainers)
Top Results From Across the Web
Top Related Medium Post
Top Related StackOverflow Question
Troubleshoot Live Code
Top Related Reddit Thread
Top Related Hackernoon Post
Top Related Tweet
Top Related Dev.to Post
Top Related Hashnode Post
And also, obviously, this becomes a https://github.com/theupdateframework/specification rather than implementation-specific issue
Maybe this should be part of the filesystem API? That way
.and/’ could be disallowed for unix-like filesystems, but could be allowed, with restrictions for sigstore delegations to git repo urls.Although, these role names are in signed metadata, so it might be reasonable to just trust the delegator to know what a reasonable role name is for a particular situation.