[Git][reproducible-builds/diffoscope][master] Validate --css argument. Thanks to Daniel Schmidt @ SRLabs for the report. (Closes: #396)

Chris Lamb (@lamby) gitlab at salsa.debian.org
Mon Jan 13 12:16:13 UTC 2025 


Chris Lamb pushed to branch master at Reproducible Builds / diffoscope


Commits:
a36ee4eb by Chris Lamb at 2025-01-13T12:15:31+00:00
Validate --css argument. Thanks to Daniel Schmidt @ SRLabs for the report. (Closes: #396)

- - - - -


2 changed files:

- diffoscope/main.py
- tests/test_main.py


Changes:

=====================================
diffoscope/main.py
=====================================
@@ -28,6 +28,8 @@ import textwrap
 import argparse
 import traceback
 
+from urllib.parse import urlparse
+
 from . import VERSION
 from .path import set_path
 from .tools import (
@@ -734,6 +736,14 @@ def sigterm_handler(signo, stack_frame):
     os._exit(2)
 
 
+def is_valid_url(val):
+    try:
+        result = urlparse(val)
+        return all([result.scheme, result.netloc])
+    except AttributeError:
+        return False
+
+
 def main(args=None):
     if args is None:
         args = sys.argv[1:]
@@ -759,6 +769,9 @@ def main(args=None):
             parser, post_parse = create_parser()
             parsed_args = parser.parse_args(args)
 
+        if parsed_args.css_url and not is_valid_url(parsed_args.css_url):
+            parser.error(f"{parsed_args.css_url!r} is not a valid CSS URL.")
+
         log_handler = ProgressManager().setup(parsed_args)
 
         with setup_logging(parsed_args.debug, log_handler) as _:


=====================================
tests/test_main.py
=====================================
@@ -191,3 +191,31 @@ def test_usage(capsys):
 
     assert out == ""
     assert "usage:" in err
+
+
+def test_valid_css(capsys):
+    ret, out, err = run(
+        capsys,
+        "--css",
+        "http://example.tld/file.css",
+        TEST_TAR1_PATH,
+        TEST_TAR1_PATH,
+    )
+
+    assert ret == 0
+    assert err == ""
+    assert out == ""
+
+
+def test_invalid_css(capsys):
+    ret, out, err = run(
+        capsys,
+        "--css",
+        '"><svg/onload=alert(43433)>',
+        TEST_TAR1_PATH,
+        TEST_TAR1_PATH,
+    )
+
+    assert ret == 2
+    assert "is not a valid CSS" in err
+    assert out == ""



View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/a36ee4ebd7494d6d24d537072974a4ae92437523

-- 
View it on GitLab: https://salsa.debian.org/reproducible-builds/diffoscope/-/commit/a36ee4ebd7494d6d24d537072974a4ae92437523
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.reproducible-builds.org/pipermail/rb-commits/attachments/20250113/bddd0284/attachment.htm>

More information about the rb-commits mailing list