From 7c0e5e709eaafe7cfa543f0e85a9ea129a2791fa Mon Sep 17 00:00:00 2001 From: "S.Sandhu" <167903774+sachin-sandhu@users.noreply.github.com> Date: Tue, 23 Jul 2024 16:15:59 -0400 Subject: [PATCH] Fixes URI::InvalidURIError issue while fetching metadata (#10256) * adds exception on malformed URI response --- common/lib/dependabot/git_metadata_fetcher.rb | 8 ++++++ .../update_checker/version_resolver_spec.rb | 26 +++++++++++++++++++ .../updater/operations/update_all_versions.rb | 4 +++ 3 files changed, 38 insertions(+) diff --git a/common/lib/dependabot/git_metadata_fetcher.rb b/common/lib/dependabot/git_metadata_fetcher.rb index 98fdcdbbfa5..415e6dbedd3 100644 --- a/common/lib/dependabot/git_metadata_fetcher.rb +++ b/common/lib/dependabot/git_metadata_fetcher.rb @@ -198,6 +198,7 @@ def parse_refs_for_upload_pack sig { params(uri: String).returns(String) } def service_pack_uri(uri) + uri = uri_sanitize(uri) service_pack_uri = uri_with_auth(uri) service_pack_uri = service_pack_uri.gsub(%r{/$}, "") service_pack_uri += ".git" unless service_pack_uri.end_with?(".git") || skip_git_suffix(uri) @@ -216,6 +217,7 @@ def skip_git_suffix(uri) # (GitHub, GitLab, BitBucket) work with or without the suffix. # That change has other ramifications, so it'd be better if Azure started supporting ".git" # like all the other providers. + uri = uri_sanitize(uri) uri = SharedHelpers.scp_to_standard(uri) uri = URI(uri) hostname = uri.hostname.to_s @@ -242,6 +244,12 @@ def uri_with_auth(uri) uri.to_s end + sig { params(uri: String).returns(String) } + def uri_sanitize(uri) + uri = uri.strip + uri.to_s + end + sig { params(line: String).returns(String) } def sha_for_update_pack_line(line) T.must(line.split.first).chars.last(40).join diff --git a/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/version_resolver_spec.rb b/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/version_resolver_spec.rb index 5f1e1e6c4f2..e23f48a76c3 100644 --- a/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/version_resolver_spec.rb +++ b/npm_and_yarn/spec/dependabot/npm_and_yarn/update_checker/version_resolver_spec.rb @@ -163,6 +163,32 @@ end end + context "when updating a dependency with malformed registry configuration" do + let(:project_name) { "npm6/peer_dependency" } + let(:latest_allowable_version) { Gem::Version.new("16.3.1") } + let(:dependency) do + Dependabot::Dependency.new( + name: "react-dom", + version: "15.2.0", + package_manager: "npm_and_yarn", + requirements: [{ + file: "package.json", + requirement: "^15.2.0", + groups: ["dependencies"], + source: { type: "registry", url: "https://registry.yarnpkg.com}/" } + }] + ) + end + + context "when accessing a malformed registry requirements" do + it "raise a helpful error" do + expect { latest_resolvable_version }.to raise_error do |error| + expect(error.message).to include("bad URI(is not URI?)") + end + end + end + end + context "with a npm 8 package-lock.json" do context "when updating a dependency without peer dependency issues" do let(:project_name) { "npm8/package-lock" } diff --git a/updater/lib/dependabot/updater/operations/update_all_versions.rb b/updater/lib/dependabot/updater/operations/update_all_versions.rb index 286bd5c2d84..143325713c4 100644 --- a/updater/lib/dependabot/updater/operations/update_all_versions.rb +++ b/updater/lib/dependabot/updater/operations/update_all_versions.rb @@ -62,6 +62,10 @@ def dependencies def check_and_create_pr_with_error_handling(dependency) check_and_create_pull_request(dependency) + rescue URI::InvalidURIError => e + msg = e.class.to_s + " with message: " + e.message + e = Dependabot::DependencyFileNotResolvable.new(msg) + error_handler.handle_dependency_error(error: e, dependency: dependency) rescue Dependabot::InconsistentRegistryResponse => e error_handler.log_dependency_error( dependency: dependency,