Thanks to visit codestin.com
Credit goes to github.com

Skip to content

Metadata API: Delegation role names validation #1527

New issue
New issue
Closed
Closed
Metadata API: Delegation role names validation#1527
Labels
backlogIssues to address with priority for current development goalsdiscussionDiscussions related to the design, implementation and operation of the project
@MVrachev

Description

@MVrachev
MVrachev
opened on Aug 20, 2021

Description of issue or feature request:
Delegation role names are not restricted in any way in the spec, but they are targets metadata role names.
They could be ".", "../../filename" or 1.role.
The problem is that at some point those delegation role names are used when constructing an URL used
to download the delegated target metadata file:
https://github.com/theupdateframework/tuf/blob/e9106b59cdb5bbfb4260c5ffc3144e79f8f9596a/tuf/ngclient/updater.py#L287 which is likely to be a problem.

Current behavior:
No validation is used for Delegation role names.

Expected behavior:
Escape special symbols like . or \.

Metadata

Metadata

Assignees

No one assigned

    Labels

    backlogIssues to address with priority for current development goalsdiscussionDiscussions related to the design, implementation and operation of the project

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions