Module: Gitlab::Regex::Packages

Includes:
Utils::StrongMemoize
Included in:
Gitlab::Regex
Defined in:
lib/gitlab/regex/packages.rb,
lib/gitlab/regex/packages/protection/rules.rb

Defined Under Namespace

Modules: Protection

Constant Summary collapse

CONAN_RECIPE_FILES =
%w[conanfile.py conanmanifest.txt conan_sources.tgz conan_export.tgz].freeze
CONAN_PACKAGE_FILES =
%w[conaninfo.txt conanmanifest.txt conan_package.tgz].freeze
PYPI_NORMALIZED_NAME_REGEX_STRING =
'[-_.]+'
MAVEN_SNAPSHOT_DYNAMIC_PARTS =
/\A.{0,1000}(-\d{8}\.\d{6}-\d+).{0,1000}\z/
API_PATH_REGEX =
%r{^/api/v\d+/(projects/[^/]+/|groups?/[^/]+/-/)?packages/[A-Za-z]+}

Instance Method Summary collapse

Instance Method Details

#_semver_major_minor_patch_regexObject

These partial semver regexes are intended for use in composing other regexes rather than being used alone.



194
195
196
197
198
# File 'lib/gitlab/regex/packages.rb', line 194

def _semver_major_minor_patch_regex
  @_semver_major_minor_patch_regex ||= /
    #{_semver_major_regex}\.#{_semver_minor_regex}\.#{_semver_patch_regex}
  /x
end

#_semver_major_regexObject



200
201
202
203
204
# File 'lib/gitlab/regex/packages.rb', line 200

def _semver_major_regex
  @_semver_major_regex ||= /
    (?<major>0|[1-9]\d*)
  /x
end

#_semver_minor_regexObject



206
207
208
209
210
# File 'lib/gitlab/regex/packages.rb', line 206

def _semver_minor_regex
  @_semver_minor_regex ||= /
    (?<minor>0|[1-9]\d*)
  /x
end

#_semver_patch_regexObject



212
213
214
215
216
# File 'lib/gitlab/regex/packages.rb', line 212

def _semver_patch_regex
  @_semver_patch_regex ||= /
    (?<patch>0|[1-9]\d*)
  /x
end

#_semver_prerelease_build_regexObject



218
219
220
221
222
223
# File 'lib/gitlab/regex/packages.rb', line 218

def _semver_prerelease_build_regex
  @_semver_prerelease_build_regex ||= /
    (?:-(?<prerelease>(?:\d*[a-zA-Z-][0-9a-zA-Z-]*|[1-9]\d*|0)(?:\.(?:\d*[a-zA-Z-][0-9a-zA-Z-]*|[1-9]\d*|0))*))?
    (?:\+(?<build>[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?
  /x
end

#composer_dev_version_regexObject



40
41
42
# File 'lib/gitlab/regex/packages.rb', line 40

def composer_dev_version_regex
  @composer_dev_version_regex ||= %r{(^dev-)|(-dev$)}
end

#composer_package_version_regexObject



35
36
37
38
# File 'lib/gitlab/regex/packages.rb', line 35

def composer_package_version_regex
  # see https://github.com/composer/semver/blob/31f3ea725711245195f62e54ffa402d8ef2fdba9/src/VersionParser.php#L215
  @composer_package_version_regex ||= %r{\Av?((\d++)(\.(?:\d++|[xX*]))?(\.(?:\d++|[xX*]))?(\.(?:\d++|[xX*]))?)?\z}
end

#conan_package_reference_regexObject



18
19
20
# File 'lib/gitlab/regex/packages.rb', line 18

def conan_package_reference_regex
  @conan_package_reference_regex ||= %r{\A[A-Za-z0-9]+\z}
end

#conan_recipe_component_regexObject



30
31
32
33
# File 'lib/gitlab/regex/packages.rb', line 30

def conan_recipe_component_regex
  # https://docs.conan.io/en/latest/reference/conanfile/attributes.html#name
  @conan_recipe_component_regex ||= %r{\A#{conan_name_regex}\z}
end

#conan_recipe_user_channel_regexObject



26
27
28
# File 'lib/gitlab/regex/packages.rb', line 26

def conan_recipe_user_channel_regex
  %r{\A(_|#{conan_name_regex})\z}
end

#conan_revision_regexObject



22
23
24
# File 'lib/gitlab/regex/packages.rb', line 22

def conan_revision_regex
  @conan_revision_regex ||= %r{\A0\z}
end

#debian_architecture_regexObject



142
143
144
145
146
# File 'lib/gitlab/regex/packages.rb', line 142

def debian_architecture_regex
  # See official parser: https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/lib/dpkg/arch.c?id=9e0c88ec09475f4d1addde9cdba1ad7849720356#n43
  # But we limit to lower case
  @debian_architecture_regex ||= %r{\A#{::Packages::Debian::ARCHITECTURE_REGEX}\z}o
end

#debian_component_regexObject



152
153
154
# File 'lib/gitlab/regex/packages.rb', line 152

def debian_component_regex
  @debian_component_regex ||= %r{\A#{::Packages::Debian::COMPONENT_REGEX}\z}o
end

#debian_direct_upload_filename_regexObject



156
157
158
# File 'lib/gitlab/regex/packages.rb', line 156

def debian_direct_upload_filename_regex
  @debian_direct_upload_filename_regex ||= %r{\A.*\.(deb|udeb|ddeb)\z}o
end

#debian_distribution_regexObject



148
149
150
# File 'lib/gitlab/regex/packages.rb', line 148

def debian_distribution_regex
  @debian_distribution_regex ||= %r{\A#{::Packages::Debian::DISTRIBUTION_REGEX}\z}io
end

#debian_package_name_regexObject



122
123
124
125
126
127
128
129
# File 'lib/gitlab/regex/packages.rb', line 122

def debian_package_name_regex
  # See official parser
  # https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/lib/dpkg/parsehelp.c?id=9e0c88ec09475f4d1addde9cdba1ad7849720356#n122
  # @debian_package_name_regex ||= %r{\A[a-z0-9][-+\._a-z0-9]*\z}i.freeze
  # But we prefer a more strict version from Lintian
  # https://salsa.debian.org/lintian/lintian/-/blob/5080c0068ffc4a9ddee92022a91d0c2ff53e56d1/lib/Lintian/Util.pm#L116
  @debian_package_name_regex ||= %r{\A[a-z0-9][-+\.a-z0-9]+\z}
end

#debian_version_regexObject



131
132
133
134
135
136
137
138
139
140
# File 'lib/gitlab/regex/packages.rb', line 131

def debian_version_regex
  # See official parser: https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/lib/dpkg/parsehelp.c?id=9e0c88ec09475f4d1addde9cdba1ad7849720356#n205
  @debian_version_regex ||= %r{
    \A(?:
      (?:([0-9]{1,9}):)?            (?# epoch)
      ([0-9][0-9a-z\.+~]*)          (?# version)
      (-[0-9a-z\.+~]+){0,14}        (?# -revision)
      (?<!-)
      )\z}xi
end

#generic_package_file_name_regexObject



261
262
263
# File 'lib/gitlab/regex/packages.rb', line 261

def generic_package_file_name_regex
  generic_package_name_regex
end

#generic_package_name_regexObject



257
258
259
# File 'lib/gitlab/regex/packages.rb', line 257

def generic_package_name_regex
  maven_file_name_regex
end

#generic_package_version_regexObject



253
254
255
# File 'lib/gitlab/regex/packages.rb', line 253

def generic_package_version_regex
  maven_version_regex
end

#go_package_regexObject



230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
# File 'lib/gitlab/regex/packages.rb', line 230

def go_package_regex
  # A Go package name looks like a URL but is not; it:
  #   - Must not have a scheme, such as http:// or https://
  #   - Must not have a port number, such as :8080 or :8443

  @go_package_regex ||= %r{
    (?<=^|\s|\() (?# beginning of line, whitespace character, or opening parenthesis)
    (?<domain>
      [0-9a-z](?:(?:-|[0-9a-z]){0,61}[0-9a-z]) (?# first domain)
      (?:\.[0-9a-z](?:(?:-|[0-9a-z]){0,61}[0-9a-z])?){0,49} (?# inner domains)
      \.[a-z]{2,63}(?=/|\s|$|\)) (?# top-level domain, ends with /, whitespace, or end of line)
    )
    (?<path>
      /(?:
        [-/$_.+!*'(),0-9a-z] (?# plain URL character)
        |
        %[0-9a-f]{2} (?# URL encoded character)
      ){0,1000}
    )? (?# optional path)
    (?=$|\s|\)) (?# followed by end of line, whitespace, or closing parenthesis)
  }ix
end

#helm_channel_regexObject



160
161
162
# File 'lib/gitlab/regex/packages.rb', line 160

def helm_channel_regex
  @helm_channel_regex ||= %r{\A([a-zA-Z0-9](\.|-|_)?){1,255}(?<!\.|-|_)\z}
end

#helm_package_regexObject



164
165
166
# File 'lib/gitlab/regex/packages.rb', line 164

def helm_package_regex
  @helm_package_regex ||= %r{#{helm_channel_regex}}
end

#helm_version_regexObject



168
169
170
171
# File 'lib/gitlab/regex/packages.rb', line 168

def helm_version_regex
  # identical to semver_regex, with optional preceding 'v'
  @helm_version_regex ||= Regexp.new("\\Av?#{::Gitlab::Regex.unbounded_semver_regex.source}\\z", ::Gitlab::Regex.unbounded_semver_regex.options)
end

#maven_app_group_regexObject



75
76
77
# File 'lib/gitlab/regex/packages.rb', line 75

def maven_app_group_regex
  maven_app_name_regex
end

#maven_app_name_regexObject



67
68
69
# File 'lib/gitlab/regex/packages.rb', line 67

def maven_app_name_regex
  @maven_app_name_regex ||= /\A[\w\-\.]+\z/
end

#maven_file_name_regexObject



59
60
61
# File 'lib/gitlab/regex/packages.rb', line 59

def maven_file_name_regex
  @maven_file_name_regex ||= %r{\A[A-Za-z0-9\.\_\-\+]+\z}
end

#maven_path_regexObject



63
64
65
# File 'lib/gitlab/regex/packages.rb', line 63

def maven_path_regex
  @maven_path_regex ||= %r{\A\@?(([\w\-\.]*)/)*([\w\-\.\+]*)\z}
end

#maven_version_regexObject



71
72
73
# File 'lib/gitlab/regex/packages.rb', line 71

def maven_version_regex
  @maven_version_regex ||= /\A(?!.*\.\.)[\w+.-]+\z/
end

#npm_package_name_regex(other_accepted_chars = nil) ⇒ Object



79
80
81
82
83
# File 'lib/gitlab/regex/packages.rb', line 79

def npm_package_name_regex(other_accepted_chars = nil)
  strong_memoize_with(:npm_package_name_regex, other_accepted_chars) do
    %r{\A(?:@(#{Gitlab::PathRegex::NAMESPACE_FORMAT_REGEX})/)?[-+\.\_a-zA-Z0-9#{other_accepted_chars}]+\z}
  end
end

#npm_package_name_regex_messageObject



85
86
87
# File 'lib/gitlab/regex/packages.rb', line 85

def npm_package_name_regex_message
  'should be a valid NPM package name: https://github.com/npm/validate-npm-package-name#naming-rules.'
end

#nuget_package_name_regexObject



89
90
91
# File 'lib/gitlab/regex/packages.rb', line 89

def nuget_package_name_regex
  @nuget_package_name_regex ||= %r{\A[-+\.\_a-zA-Z0-9]+\z}
end

#nuget_version_regexObject



93
94
95
96
97
98
99
100
101
# File 'lib/gitlab/regex/packages.rb', line 93

def nuget_version_regex
  @nuget_version_regex ||= /
    \A#{_semver_major_regex}
    \.#{_semver_minor_regex}
    (\.#{_semver_patch_regex})?
    (\.\d*)?
    #{_semver_prerelease_build_regex}\z
  /x
end

#package_name_regexObject



44
45
46
47
48
49
50
51
52
53
54
55
56
57
# File 'lib/gitlab/regex/packages.rb', line 44

def package_name_regex
  @package_name_regex ||=
    %r{
        \A\@?
        (?> # atomic group to prevent backtracking
          (([\w\-\.\+]*)\/)*([\w\-\.]+)
        )
        @?
        (?> # atomic group to prevent backtracking
          (([\w\-\.\+]*)\/)*([\w\-\.]*)
        )
        \z
      }x
end

#prefixed_semver_regexObject



225
226
227
228
# File 'lib/gitlab/regex/packages.rb', line 225

def prefixed_semver_regex
  # identical to semver_regex, except starting with 'v'
  @prefixed_semver_regex ||= Regexp.new("\\Av#{::Gitlab::Regex.unbounded_semver_regex.source}\\z", ::Gitlab::Regex.unbounded_semver_regex.options)
end

#pypi_version_regexObject



107
108
109
110
111
112
113
114
115
116
117
118
119
120
# File 'lib/gitlab/regex/packages.rb', line 107

def pypi_version_regex
  # See the official regex: https://github.com/pypa/packaging/blob/16.7/packaging/version.py#L159

  @pypi_version_regex ||= %r{
    \A(?:
      v?
      (?:([0-9]+)!)?                                                 (?# epoch)
      ([0-9]+(?:\.[0-9]+)*)                                          (?# release segment)
      ([-_\.]?((a|b|c|rc|alpha|beta|pre|preview))[-_\.]?([0-9]+)?)?  (?# pre-release)
      ((?:-([0-9]+))|(?:[-_\.]?(post|rev|r)[-_\.]?([0-9]+)?))?       (?# post release)
      ([-_\.]?(dev)[-_\.]?([0-9]+)?)?                                (?# dev release)
      (?:\+([a-z0-9]+(?:[-_\.][a-z0-9]+)*))?                         (?# local version)
      )\z}xi
end

#semver_regexObject



184
185
186
# File 'lib/gitlab/regex/packages.rb', line 184

def semver_regex
  @semver_regex ||= Regexp.new("\\A#{::Gitlab::Regex.unbounded_semver_regex.source}\\z", ::Gitlab::Regex.unbounded_semver_regex.options).freeze
end

#semver_regex_messageObject



188
189
190
# File 'lib/gitlab/regex/packages.rb', line 188

def semver_regex_message
  'should follow SemVer: https://semver.org'
end

#sha256_regexObject



265
266
267
# File 'lib/gitlab/regex/packages.rb', line 265

def sha256_regex
  @sha256_regex ||= /\A[0-9a-f]{64}\z/i
end


269
270
271
# File 'lib/gitlab/regex/packages.rb', line 269

def slack_link_regex
  @slack_link_regex ||= Gitlab::UntrustedRegexp.new('<([^|<>]*[|][^|<>]*)>')
end

#terraform_module_package_name_regexObject



103
104
105
# File 'lib/gitlab/regex/packages.rb', line 103

def terraform_module_package_name_regex
  @terraform_module_package_name_regex ||= %r{\A[-a-z0-9]+\/[-a-z0-9]+\z}
end

#unbounded_semver_regexObject



173
174
175
176
177
178
179
180
181
182
# File 'lib/gitlab/regex/packages.rb', line 173

def unbounded_semver_regex
  # See the official regex: https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string

  # The order of the alternatives in <prerelease> are intentionally
  # reordered to be greedy. Without this change, the unbounded regex would
  # only partially match "v0.0.0-20201230123456-abcdefabcdef".
  @unbounded_semver_regex ||= /
    #{_semver_major_minor_patch_regex}#{_semver_prerelease_build_regex}
  /x
end