purl 1.8.0 → 1.8.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (5) hide show
  1. checksums.yaml +4 -4
  2. data/lib/purl/advisory.rb +11 -1
  3. data/lib/purl/lookup.rb +17 -4
  4. data/lib/purl/version.rb +1 -1
  5. metadata +1 -1
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA256:
3
- metadata.gz: e6632d8fa11800fb9a4b376c1555505ba87047f98de52a42103c27c2d2b46e2a
4
- data.tar.gz: c248313079783e3d5ac6c9e7dfc8663067671d4a19356757cd493e4fb23c2d8f
3
+ metadata.gz: c9aa1c0a95990683d5731be306c256d83b5d4d8025910955744f8b526f95de9a
4
+ data.tar.gz: d946e4542c898fd36feb07eaf21ad4829fd74688f0834b705a2c232c71469a88
5
5
  SHA512:
6
- metadata.gz: fc9b6cdde9d6efe15a93cd6760ec3c88aa8be1594d962682c9c27642c72408ebd242d2fa4cbbfc9f87e72e135f337bac8fbc278c69f991f4cbf7d5b3388a4b1b
7
- data.tar.gz: db4bffcde1032b421fba9b68d717bad523482b2d457b304c997606d538bee59bbfbe185bc9f456c8e72a4150ed74f5bd80d38d757bfeba41ae533ff5260c7ffb
6
+ metadata.gz: a4e483648dbcad8106813a90f51521ea158ef07a3b8817671c49aa9622abb239f993c64c0e1b92395245abb606621b252af35f17c2745ff0ddb28cfe2d3a969a
7
+ data.tar.gz: 543d9d81c3ae2c6cc4a692386ff3baf89e9da3e41826567e6806047fbf6228a4e568603b52d3bf25abf508c1e8306c0cda3afe2ccfd86feabbdbbfa478292359
data/lib/purl/advisory.rb CHANGED
@@ -9,6 +9,8 @@ module Purl
9
9
  # Provides advisory lookup functionality for packages using the advisories.ecosyste.ms API
10
10
  class Advisory
11
11
  ADVISORIES_API_BASE = "https://advisories.ecosyste.ms/api/v1"
12
+ ALLOWED_HOSTS = ["advisories.ecosyste.ms"].freeze
13
+ MAX_RESPONSE_BYTES = 10 * 1024 * 1024
12
14
 
13
15
  # Initialize a new Advisory instance
14
16
  #
@@ -55,6 +57,10 @@ module Purl
55
57
  private
56
58
 
57
59
  def make_request(uri)
60
+ unless uri.scheme == "https" && ALLOWED_HOSTS.include?(uri.host)
61
+ raise AdvisoryError, "Refusing request to disallowed host: #{uri.host}"
62
+ end
63
+
58
64
  http = Net::HTTP.new(uri.host, uri.port)
59
65
  http.use_ssl = true
60
66
  http.read_timeout = @timeout
@@ -67,7 +73,11 @@ module Purl
67
73
 
68
74
  case response.code.to_i
69
75
  when 200
70
- JSON.parse(response.body)
76
+ body = response.body
77
+ if body.bytesize > MAX_RESPONSE_BYTES
78
+ raise AdvisoryError, "Response too large (#{body.bytesize} bytes)"
79
+ end
80
+ JSON.parse(body)
71
81
  when 404
72
82
  []
73
83
  else
data/lib/purl/lookup.rb CHANGED
@@ -9,6 +9,8 @@ module Purl
9
9
  # Provides lookup functionality for packages using the ecosyste.ms API
10
10
  class Lookup
11
11
  ECOSYSTE_MS_API_BASE = "https://packages.ecosyste.ms/api/v1"
12
+ ALLOWED_HOSTS = ["packages.ecosyste.ms", "repos.ecosyste.ms"].freeze
13
+ MAX_RESPONSE_BYTES = 10 * 1024 * 1024
12
14
 
13
15
  # Initialize a new Lookup instance
14
16
  #
@@ -100,7 +102,7 @@ module Purl
100
102
  private
101
103
 
102
104
  def http_for(uri)
103
- key = "#{uri.host}:#{uri.port}"
105
+ key = connection_key(uri)
104
106
  @connections ||= {}
105
107
  @connections[key] ||= begin
106
108
  http = Net::HTTP.new(uri.host, uri.port)
@@ -113,11 +115,14 @@ module Purl
113
115
  end
114
116
 
115
117
  def reset_connection(uri)
116
- key = "#{uri.host}:#{uri.port}"
117
- old = @connections&.delete(key)
118
+ old = @connections&.delete(connection_key(uri))
118
119
  old&.finish rescue nil
119
120
  end
120
121
 
122
+ def connection_key(uri)
123
+ "#{uri.scheme}://#{uri.host}:#{uri.port}"
124
+ end
125
+
121
126
  def close
122
127
  return unless @connections
123
128
  @connections.each_value { |http| http.finish rescue nil }
@@ -125,6 +130,10 @@ module Purl
125
130
  end
126
131
 
127
132
  def make_request(uri, retried: false)
133
+ unless uri.scheme == "https" && ALLOWED_HOSTS.include?(uri.host)
134
+ raise LookupError, "Refusing request to disallowed host: #{uri.host}"
135
+ end
136
+
128
137
  http = http_for(uri)
129
138
 
130
139
  request = Net::HTTP::Get.new(uri)
@@ -134,7 +143,11 @@ module Purl
134
143
 
135
144
  case response.code.to_i
136
145
  when 200
137
- JSON.parse(response.body)
146
+ body = response.body
147
+ if body.bytesize > MAX_RESPONSE_BYTES
148
+ raise LookupError, "Response too large (#{body.bytesize} bytes)"
149
+ end
150
+ JSON.parse(body)
138
151
  when 404
139
152
  nil
140
153
  else
data/lib/purl/version.rb CHANGED
@@ -1,5 +1,5 @@
1
1
  # frozen_string_literal: true
2
2
 
3
3
  module Purl
4
- VERSION = "1.8.0"
4
+ VERSION = "1.8.1"
5
5
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: purl
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.8.0
4
+ version: 1.8.1
5
5
  platform: ruby
6
6
  authors:
7
7
  - Andrew Nesbitt