Fixes URI::InvalidURIError issue while fetching metadata (#10256)

* adds exception on malformed URI response
dependabot · Jul 23, 2024 · 7c0e5e7 · 7c0e5e7
1 parent d045d42
commit 7c0e5e7
Show file tree

Hide file tree

Showing 3 changed files with 38 additions and 0 deletions.
diff --git a/common/lib/dependabot/git_metadata_fetcher.rb b/common/lib/dependabot/git_metadata_fetcher.rb
@@ -198,6 +198,7 @@ def parse_refs_for_upload_pack
 
     sig { params(uri: String).returns(String) }
     def service_pack_uri(uri)
+      uri = uri_sanitize(uri)
       service_pack_uri = uri_with_auth(uri)
       service_pack_uri = service_pack_uri.gsub(%r{/$}, "")
       service_pack_uri += ".git" unless service_pack_uri.end_with?(".git") || skip_git_suffix(uri)
@@ -216,6 +217,7 @@ def skip_git_suffix(uri)
       # (GitHub, GitLab, BitBucket) work with or without the suffix.
       # That change has other ramifications, so it'd be better if Azure started supporting ".git"
       # like all the other providers.
+      uri = uri_sanitize(uri)
       uri = SharedHelpers.scp_to_standard(uri)
       uri = URI(uri)
       hostname = uri.hostname.to_s
@@ -242,6 +244,12 @@ def uri_with_auth(uri)
       uri.to_s
     end
 
+    sig { params(uri: String).returns(String) }
+    def uri_sanitize(uri)
+      uri = uri.strip
+      uri.to_s
+    end
+
     sig { params(line: String).returns(String) }
     def sha_for_update_pack_line(line)
       T.must(line.split.first).chars.last(40).join

diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/version_resolver_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/version_resolver_spec.rb
@@ -163,6 +163,32 @@
       end
     end
 
+    context "when updating a dependency with malformed registry configuration" do
+      let(:project_name) { "npm6/peer_dependency" }
+      let(:latest_allowable_version) { Gem::Version.new("16.3.1") }
+      let(:dependency) do
+        Dependabot::Dependency.new(
+          name: "react-dom",
+          version: "15.2.0",
+          package_manager: "npm_and_yarn",
+          requirements: [{
+            file: "package.json",
+            requirement: "^15.2.0",
+            groups: ["dependencies"],
+            source: { type: "registry", url: "https://registry.yarnpkg.com}/" }
+          }]
+        )
+      end
+
+      context "when accessing a malformed registry requirements" do
+        it "raise a helpful error" do
+          expect { latest_resolvable_version }.to raise_error do |error|
+            expect(error.message).to include("bad URI(is not URI?)")
+          end
+        end
+      end
+    end
+
     context "with a npm 8 package-lock.json" do
       context "when updating a dependency without peer dependency issues" do
         let(:project_name) { "npm8/package-lock" }

diff --git a/updater/lib/dependabot/updater/operations/update_all_versions.rb b/updater/lib/dependabot/updater/operations/update_all_versions.rb
@@ -62,6 +62,10 @@ def dependencies
 
         def check_and_create_pr_with_error_handling(dependency)
           check_and_create_pull_request(dependency)
+        rescue URI::InvalidURIError => e
+          msg = e.class.to_s + " with message: " + e.message
+          e = Dependabot::DependencyFileNotResolvable.new(msg)
+          error_handler.handle_dependency_error(error: e, dependency: dependency)
         rescue Dependabot::InconsistentRegistryResponse => e
           error_handler.log_dependency_error(
             dependency: dependency,