whilp / git-urls Goto Github PK

If you parse a git URL without Userinfo and then convert it back to string you get an extra "@" symbol.

Consider the following code:

parsed, err := giturls.Parse("https://github.com/whilp/git-urls")
if err != nil {
	log.Fatal(err)
}
fmt.Println("Url with extra '@':", parsed.String())
parsed.User = nil // set userinfo to nil
fmt.Println("Correct url:", parsed.String())

Output:

Url with extra '@': https://@github.com/whilp/git-urls
Correct url: https://github.com/whilp/git-urls

Full runnable code: https://github.com/curusarn/go-git-urls-issue/blob/master/main.go

Are there any drawbacks to setting Userinfo to nil?

The regex on line 35. inside urls.go is vulnerable to regex denial of service when a long input is provided inside directory path of the git url. I managed to cause a 7s delay but only because the payload in the url was to long. Here is the PoC:

var payload = strings.Repeat("////", 19000000) //payload used, the number can be tweaked to cause 7 second delay
malicious_url := "6en6ar@-:0////" + payload + "\"
begin := time.Now()
//u, err := giturls.ParseScp("[email protected]:/remote/directory")// normal git url
_, err := giturls.ParseScp(malicious_url)
if err != nil {
fmt.Errorf("[ - ] Error ->" + err.Error())
}
//fmt.Println("[ + ] Url --> " + u.Host)
elapse := time.Since(begin)
fmt.Printf("Function took %s", elapse)

parsing invalid URLs doesn't return errors e.g.

u, err := giturls.Parse("https:/lala")

Currently, it's not possible to view the docs at https://pkg.go.dev/github.com/whilp/git-urls?tab=overview.

This should be fixable by adding a LICENSE file.

Per @anachronistic:

so - i did a couple of benchmarks on the lib and found differing speeds + heap allocations depending on the incoming string
and i believe that it's possible to 1) normalize the speed to within reason (i.e. longer strings will naturally take a bit longer to parse), 2) normalize the allocations (i believe you can produce a 0 allocation lib if you write the parser yourself)
i did a shit proof of concept and for local paths i had it down to 150ns / 0 allocations by having a Parse method that accepts a pointer to a net.URLstructure ... ex func Parse(url string, handle *net.URL) error { ... }
that was leaning mostly on strings.Index which reports first appearance of a pattern, so ex. colon := strings.Index(url, ":") ... slash := strings.Index(url, "/") ... return colon == -1 || (slash & slash > colon)
so file:///whatever and /foo/bar/whatever returned true very quickly
it gets a touch more complicated from there, but yeah: that's my challenge to you ... normalized speed (for some reasonable definition of normalized compared to string length) and 0 allocations (or at most 1 if you don't like the C-style of passing in the structure)

Thank you for making this library. It looks like it does just what I was looking for. Would you be willing to add a license file?