Module: Gitlab::Regex::Packages

Includes:
Utils::StrongMemoize
Included in:
Gitlab::Regex
Defined in:
lib/gitlab/regex/packages.rb,
lib/gitlab/regex/packages/protection/rules.rb

Defined Under Namespace

Modules: Protection

Constant Summary collapse

CONAN_RECIPE_FILES = 
%w[conanfile.py conanmanifest.txt conan_sources.tgz conan_export.tgz].freeze
CONAN_PACKAGE_FILES = 
%w[conaninfo.txt conanmanifest.txt conan_package.tgz].freeze
PYPI_NORMALIZED_NAME_REGEX_STRING = 
'[-_.]+'
MAVEN_SNAPSHOT_DYNAMIC_PARTS =

see github.com/apache/maven/blob/c1dfb947b509e195c75d4275a113598cf3063c3e/maven-artifact/src/main/java/org/apache/maven/artifact/Artifact.java#L46

/\A.{0,1000}(-\d{8}\.\d{6}-\d+).{0,1000}\z/
API_PATH_REGEX = 
%r{^/api/v\d+/(projects/[^/]+/|groups?/[^/]+/-/)?packages/[A-Za-z]+}

Instance Method Summary collapse

Instance Method Details

#_semver_major_minor_patch_regexObject

These partial semver regexes are intended for use in composing other regexes rather than being used alone.



211
212
213
214
215
 
# File 'lib/gitlab/regex/packages.rb', line 211

def _semver_major_minor_patch_regex
  @_semver_major_minor_patch_regex ||= /
    #{_semver_major_regex}\.#{_semver_minor_regex}\.#{_semver_patch_regex}
  /x
end

#_semver_major_regexObject 



217
218
219
220
221
 
# File 'lib/gitlab/regex/packages.rb', line 217

def _semver_major_regex
  @_semver_major_regex ||= /
    (?<major>0|[1-9]\d*)
  /x
end

#_semver_minor_regexObject 



223
224
225
226
227
 
# File 'lib/gitlab/regex/packages.rb', line 223

def _semver_minor_regex
  @_semver_minor_regex ||= /
    (?<minor>0|[1-9]\d*)
  /x
end

#_semver_patch_regexObject 



229
230
231
232
233
 
# File 'lib/gitlab/regex/packages.rb', line 229

def _semver_patch_regex
  @_semver_patch_regex ||= /
    (?<patch>0|[1-9]\d*)
  /x
end

#_semver_prerelease_build_regexObject 



235
236
237
238
239
240
 
# File 'lib/gitlab/regex/packages.rb', line 235

def _semver_prerelease_build_regex
  @_semver_prerelease_build_regex ||= /
    (?:-(?<prerelease>(?:\d*[a-zA-Z-][0-9a-zA-Z-]*|[1-9]\d*|0)(?:\.(?:\d*[a-zA-Z-][0-9a-zA-Z-]*|[1-9]\d*|0))*))?
    (?:\+(?<build>[0-9a-zA-Z-]+(?:\.[0-9a-zA-Z-]+)*))?
  /x
end

#cargo_package_name_regexObject 



18
19
20
 
# File 'lib/gitlab/regex/packages.rb', line 18

def cargo_package_name_regex
  @cargo_package_name_regex ||= /\A[a-zA-Z][a-zA-Z0-9\-_]{0,63}\z/
end

#cargo_package_normalized_name_regexObject 



22
23
24
 
# File 'lib/gitlab/regex/packages.rb', line 22

def cargo_package_normalized_name_regex
  @cargo_package_normalized_name_regex ||= /\A[a-z0-9-]+\z/
end

#composer_dev_version_regexObject 



56
57
58
 
# File 'lib/gitlab/regex/packages.rb', line 56

def composer_dev_version_regex
  @composer_dev_version_regex ||= %r{(^dev-)|(-dev$)}
end

#composer_package_version_regexObject 



51
52
53
54
 
# File 'lib/gitlab/regex/packages.rb', line 51

def composer_package_version_regex
  # see https://github.com/composer/semver/blob/31f3ea725711245195f62e54ffa402d8ef2fdba9/src/VersionParser.php#L215
  @composer_package_version_regex ||= %r{\Av?((\d++)(\.(?:\d++|[xX*]))?(\.(?:\d++|[xX*]))?(\.(?:\d++|[xX*]))?)?\z}
end

#conan_package_reference_regexObject 



26
27
28
 
# File 'lib/gitlab/regex/packages.rb', line 26

def conan_package_reference_regex
  @conan_package_reference_regex ||= %r{\A[A-Za-z0-9]+\z}
end

#conan_recipe_component_regexObject 



46
47
48
49
 
# File 'lib/gitlab/regex/packages.rb', line 46

def conan_recipe_component_regex
  # https://docs.conan.io/en/latest/reference/conanfile/attributes.html#name
  @conan_recipe_component_regex ||= %r{\A#{conan_name_regex}\z}
end

#conan_recipe_user_channel_regexObject 



42
43
44
 
# File 'lib/gitlab/regex/packages.rb', line 42

def conan_recipe_user_channel_regex
  %r{\A(_|#{conan_name_regex})\z}
end

#conan_revision_regexObject 



30
31
32
 
# File 'lib/gitlab/regex/packages.rb', line 30

def conan_revision_regex
  @conan_revision_regex ||= %r{\A0\z}
end

#conan_revision_regex_v2Object 



34
35
36
37
38
39
40
 
# File 'lib/gitlab/regex/packages.rb', line 34

def conan_revision_regex_v2
  # The revision can be one of two types:
  # - "hash" (default): the checksum hash of the recipe manifest: MD5 Hash 32 Characters
  # - "scm" or "scm_folder": the commit ID for the repository system (Git or SVN): SHA-1 Hash 40 Characters
  # according to https://docs.conan.io/2.10/reference/conanfile/attributes.html#revision-mode
  @conan_revision_regex_v2 ||= %r/\A(?:\h{32}|\h{40})\z/
end

#debian_architecture_regexObject 



159
160
161
162
163
 
# File 'lib/gitlab/regex/packages.rb', line 159

def debian_architecture_regex
  # See official parser: https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/lib/dpkg/arch.c?id=9e0c88ec09475f4d1addde9cdba1ad7849720356#n43
  # But we limit to lower case
  @debian_architecture_regex ||= %r{\A#{::Packages::Debian::ARCHITECTURE_REGEX}\z}o
end

#debian_component_regexObject 



169
170
171
 
# File 'lib/gitlab/regex/packages.rb', line 169

def debian_component_regex
  @debian_component_regex ||= %r{\A#{::Packages::Debian::COMPONENT_REGEX}\z}o
end

#debian_direct_upload_filename_regexObject 



173
174
175
 
# File 'lib/gitlab/regex/packages.rb', line 173

def debian_direct_upload_filename_regex
  @debian_direct_upload_filename_regex ||= %r{\A.*\.(deb|udeb|ddeb)\z}o
end

#debian_distribution_regexObject 



165
166
167
 
# File 'lib/gitlab/regex/packages.rb', line 165

def debian_distribution_regex
  @debian_distribution_regex ||= %r{\A#{::Packages::Debian::DISTRIBUTION_REGEX}\z}io
end

#debian_package_name_regexObject 



139
140
141
142
143
144
145
146
 
# File 'lib/gitlab/regex/packages.rb', line 139

def debian_package_name_regex
  # See official parser
  # https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/lib/dpkg/parsehelp.c?id=9e0c88ec09475f4d1addde9cdba1ad7849720356#n122
  # @debian_package_name_regex ||= %r{\A[a-z0-9][-+\._a-z0-9]*\z}i.freeze
  # But we prefer a more strict version from Lintian
  # https://salsa.debian.org/lintian/lintian/-/blob/5080c0068ffc4a9ddee92022a91d0c2ff53e56d1/lib/Lintian/Util.pm#L116
  @debian_package_name_regex ||= %r{\A[a-z0-9][-+\.a-z0-9]+\z}
end

#debian_version_regexObject 



148
149
150
151
152
153
154
155
156
157
 
# File 'lib/gitlab/regex/packages.rb', line 148

def debian_version_regex
  # See official parser: https://git.dpkg.org/cgit/dpkg/dpkg.git/tree/lib/dpkg/parsehelp.c?id=9e0c88ec09475f4d1addde9cdba1ad7849720356#n205
  @debian_version_regex ||= %r{
    \A(?:
      (?:([0-9]{1,9}):)?            (?# epoch)
      ([0-9][0-9a-z\.+~]*)          (?# version)
      (-[0-9a-z\.+~]+){0,14}        (?# -revision)
      (?<!-)
      )\z}xi
end

#generic_package_file_name_regexObject 



278
279
280
 
# File 'lib/gitlab/regex/packages.rb', line 278

def generic_package_file_name_regex
  @generic_package_file_name_regex ||= /\A(?!~)(?!@)[A-Za-z0-9\.\_\-\+~@]+(?<!~)(?<!@)\z/
end

#generic_package_name_regexObject 



274
275
276
 
# File 'lib/gitlab/regex/packages.rb', line 274

def generic_package_name_regex
  maven_file_name_regex
end

#generic_package_version_regexObject 



270
271
272
 
# File 'lib/gitlab/regex/packages.rb', line 270

def generic_package_version_regex
  maven_version_regex
end

#go_package_regexObject 



247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
 
# File 'lib/gitlab/regex/packages.rb', line 247

def go_package_regex
  # A Go package name looks like a URL but is not; it:
  #   - Must not have a scheme, such as http:// or https://
  #   - Must not have a port number, such as :8080 or :8443

  @go_package_regex ||= %r{
    (?<=^|\s|\() (?# beginning of line, whitespace character, or opening parenthesis)
    (?<domain>
      [0-9a-z](?:(?:-|[0-9a-z]){0,61}[0-9a-z]) (?# first domain)
      (?:\.[0-9a-z](?:(?:-|[0-9a-z]){0,61}[0-9a-z])?){0,49} (?# inner domains)
      \.[a-z]{2,63}(?=/|\s|$|\)) (?# top-level domain, ends with /, whitespace, or end of line)
    )
    (?<path>
      /(?:
        [-/$_.+!*'(),0-9a-z] (?# plain URL character)
        |
        %[0-9a-f]{2} (?# URL encoded character)
      ){0,1000}
    )? (?# optional path)
    (?=$|\s|\)) (?# followed by end of line, whitespace, or closing parenthesis)
  }ix
end

#helm_channel_regexObject 



177
178
179
 
# File 'lib/gitlab/regex/packages.rb', line 177

def helm_channel_regex
  @helm_channel_regex ||= %r{\A([a-zA-Z0-9](\.|-|_)?){1,255}(?<!\.|-|_)\z}
end

#helm_index_app_version_quote_regexObject 



290
291
292
 
# File 'lib/gitlab/regex/packages.rb', line 290

def helm_index_app_version_quote_regex
  @helm_index_app_version_quote_regex ||= /^(\s*appVersion:\s+)(?!["'])([^\n\r]+)$/m
end

#helm_package_regexObject 



181
182
183
 
# File 'lib/gitlab/regex/packages.rb', line 181

def helm_package_regex
  @helm_package_regex ||= %r{#{helm_channel_regex}}
end

#helm_version_regexObject 



185
186
187
188
 
# File 'lib/gitlab/regex/packages.rb', line 185

def helm_version_regex
  # identical to semver_regex, with optional preceding 'v'
  @helm_version_regex ||= Regexp.new("\\Av?#{::Gitlab::Regex.unbounded_semver_regex.source}\\z", ::Gitlab::Regex.unbounded_semver_regex.options)
end

#maven_app_group_regexObject 



92
93
94
 
# File 'lib/gitlab/regex/packages.rb', line 92

def maven_app_group_regex
  maven_app_name_regex
end

#maven_app_name_regexObject 



84
85
86
 
# File 'lib/gitlab/regex/packages.rb', line 84

def maven_app_name_regex
  @maven_app_name_regex ||= /\A[\w\-\.]+\z/
end

#maven_file_name_regexObject 



76
77
78
 
# File 'lib/gitlab/regex/packages.rb', line 76

def maven_file_name_regex
  @maven_file_name_regex ||= %r{\A[A-Za-z0-9\.\_\-\+]+\z}
end

#maven_path_regexObject 



80
81
82
 
# File 'lib/gitlab/regex/packages.rb', line 80

def maven_path_regex
  @maven_path_regex ||= %r{\A\@?(([\w\-\.]*)/)*([\w\-\.\+]*)\z}
end

#maven_version_regexObject 



88
89
90
 
# File 'lib/gitlab/regex/packages.rb', line 88

def maven_version_regex
  @maven_version_regex ||= /\A(?!.*\.\.)[\w+.-]+\z/
end

#npm_package_name_regex(other_accepted_chars = nil) ⇒ Object 



96
97
98
99
100
 
# File 'lib/gitlab/regex/packages.rb', line 96

def npm_package_name_regex(other_accepted_chars = nil)
  strong_memoize_with(:npm_package_name_regex, other_accepted_chars) do
    %r{\A(?:@(#{Gitlab::PathRegex::NAMESPACE_FORMAT_REGEX})/)?[-+\.\_a-zA-Z0-9#{other_accepted_chars}]+\z}
  end
end

#npm_package_name_regex_messageObject 



102
103
104
 
# File 'lib/gitlab/regex/packages.rb', line 102

def npm_package_name_regex_message
  'should be a valid NPM package name: https://github.com/npm/validate-npm-package-name#naming-rules.'
end

#nuget_package_name_regexObject 



106
107
108
 
# File 'lib/gitlab/regex/packages.rb', line 106

def nuget_package_name_regex
  @nuget_package_name_regex ||= %r{\A[-+\.\_a-zA-Z0-9]+\z}
end

#nuget_version_regexObject 



110
111
112
113
114
115
116
117
118
 
# File 'lib/gitlab/regex/packages.rb', line 110

def nuget_version_regex
  @nuget_version_regex ||= /
    \A#{_semver_major_regex}
    \.#{_semver_minor_regex}
    (\.#{_semver_patch_regex})?
    (\.\d*)?
    #{_semver_prerelease_build_regex}\z
  /x
end

#package_name_regex(other_accepted_chars_package_name = nil) ⇒ Object 



60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
 
# File 'lib/gitlab/regex/packages.rb', line 60

def package_name_regex(other_accepted_chars_package_name = nil)
  strong_memoize_with(:package_name_regex, other_accepted_chars_package_name) do
    %r{
        \A\@?
        (?> # atomic group to prevent backtracking
          (([\w\-\.\+]*)\/)*([\w\-\.]+)
        )
        @?
        (?> # atomic group to prevent backtracking
          (([\w\-\.\+]*)\/)*([\w\-\.#{other_accepted_chars_package_name}]*)
        )
        \z
      }x
  end
end

#prefixed_semver_regexObject 



242
243
244
245
 
# File 'lib/gitlab/regex/packages.rb', line 242

def prefixed_semver_regex
  # identical to semver_regex, except starting with 'v'
  @prefixed_semver_regex ||= Regexp.new("\\Av#{::Gitlab::Regex.unbounded_semver_regex.source}\\z", ::Gitlab::Regex.unbounded_semver_regex.options)
end

#pypi_version_regexObject 



124
125
126
127
128
129
130
131
132
133
134
135
136
137
 
# File 'lib/gitlab/regex/packages.rb', line 124

def pypi_version_regex
  # See the official regex: https://github.com/pypa/packaging/blob/16.7/packaging/version.py#L159

  @pypi_version_regex ||= %r{
    \A(?:
      v?
      (?:([0-9]+)!)?                                                 (?# epoch)
      ([0-9]+(?:\.[0-9]+)*)                                          (?# release segment)
      ([-_\.]?((a|b|c|rc|alpha|beta|pre|preview))[-_\.]?([0-9]+)?)?  (?# pre-release)
      ((?:-([0-9]+))|(?:[-_\.]?(post|rev|r)[-_\.]?([0-9]+)?))?       (?# post release)
      ([-_\.]?(dev)[-_\.]?([0-9]+)?)?                                (?# dev release)
      (?:\+([a-z0-9]+(?:[-_\.][a-z0-9]+)*))?                         (?# local version)
      )\z}xi
end

#semver_regexObject 



201
202
203
 
# File 'lib/gitlab/regex/packages.rb', line 201

def semver_regex
  @semver_regex ||= Regexp.new("\\A#{::Gitlab::Regex.unbounded_semver_regex.source}\\z", ::Gitlab::Regex.unbounded_semver_regex.options).freeze
end

#semver_regex_messageObject 



205
206
207
 
# File 'lib/gitlab/regex/packages.rb', line 205

def semver_regex_message
  'should follow SemVer: https://semver.org'
end

#sha256_regexObject 



282
283
284
 
# File 'lib/gitlab/regex/packages.rb', line 282

def sha256_regex
  @sha256_regex ||= /\A[0-9a-f]{64}\z/i
end

#slack_link_regexObject 



286
287
288
 
# File 'lib/gitlab/regex/packages.rb', line 286

def slack_link_regex
  @slack_link_regex ||= Gitlab::UntrustedRegexp.new('<([^|<>]*[|][^|<>]*)>')
end

#terraform_module_package_name_regexObject 



120
121
122
 
# File 'lib/gitlab/regex/packages.rb', line 120

def terraform_module_package_name_regex
  @terraform_module_package_name_regex ||= %r{\A[-a-z0-9]+\/[-a-z0-9]+\z}
end

#unbounded_semver_regexObject 



190
191
192
193
194
195
196
197
198
199
 
# File 'lib/gitlab/regex/packages.rb', line 190

def unbounded_semver_regex
  # See the official regex: https://semver.org/#is-there-a-suggested-regular-expression-regex-to-check-a-semver-string

  # The order of the alternatives in <prerelease> are intentionally
  # reordered to be greedy. Without this change, the unbounded regex would
  # only partially match "v0.0.0-20201230123456-abcdefabcdef".
  @unbounded_semver_regex ||= /
    #{_semver_major_minor_patch_regex}#{_semver_prerelease_build_regex}
  /x
end