packageurl-java icon indicating copy to clipboard operation
packageurl-java copied to clipboard
verified publisher icon package-url

Instanciating a PackagerURL with a version number containing a new line leads eventually to an invalid URL

Open nhumblot opened this issue 1 year ago • 0 comments

Context

Identified following this analysis https://github.com/jeremylong/DependencyCheck/issues/6688#issuecomment-2138489883

Maven supports the newline character in the version as per its XSD. When instantiating a PackageURL with such a character in its version, calling PackageURL.canonicalize() returns an invalid URL.

Steps to reproduce

        PackageURL url = new PackageURL("maven", "com.google.summit", "summit-ast", "2.2.0\n", null, null);

        String canonicalize = url.canonicalize();

Expected beavior

canonicalize is equal to pkg:maven/com.google.summit/[email protected]%0A

Current behavior

canonicalize is equal to pkg:maven/com.google.summit/[email protected]%A

nhumblot avatar May 30 '24 01:05 nhumblot