impove detection of XML's anyURI violations (#179)

fixes #178

Signed-off-by: Jan Kowalleck <[email protected]>

Author: jkowalleck

HISTORY.md

@@ -4,6 +4,12 @@ All notable changes to this project will be documented in this file.
 
 ## unreleased
 
+* Fixed
+  * Improved omission of invalid `anyURI` when it comes to XML-normalization. ([#178] via [#179])
+
+[#178]: https://github.com/CycloneDX/cyclonedx-javascript-library/issues/178
+[#179]: https://github.com/CycloneDX/cyclonedx-javascript-library/pull/179
+
 ## 1.3.2 - 2022-08-15
 
 * Fixed

src/serialize/xml/types.ts

@@ -20,6 +20,8 @@ Copyright (c) OWASP Foundation. All Rights Reserved.
 // eslint-disable-next-line @typescript-eslint/no-namespace
 export namespace XmlSchema {
 
+  const _anyUriSchemePattern = /^[a-z][a-z0-9+\-.]*$/i
+
   /**
    * @see isAnyURI
    */
@@ -28,13 +30,42 @@ export namespace XmlSchema {
    * Test whether format is XML::anyURI - best-effort.
    *
    * @see {@link http://www.w3.org/TR/xmlschema-2/#anyURI}
-   * @see {@link http://www.datypic.com/sc/xsd/t-xsd_anyURI.html}
+   * @see {@link https://www.w3.org/2011/04/XMLSchema/TypeLibrary-URI-RFC3986.xsd}
+   * @see {@link https://www.w3.org/2011/04/XMLSchema/TypeLibrary-IRI-RFC3987.xsd}
    */
   export function isAnyURI (value: AnyURI | any): value is AnyURI {
-    return typeof value === 'string' &&
-      value.length > 0 &&
-      Array.from(value).filter(c => c === '#').length <= 1
-    // TODO add more validation according to spec
+    if (typeof value !== 'string') {
+      // not a string
+      return false
+    }
+    if (value.length === 0) {
+      // empty string
+      return false
+    }
+
+    const fragmentPos = value.indexOf('#')
+    let beforeFragment: string
+    if (fragmentPos >= 0) {
+      if (value.includes('#', fragmentPos + 1)) {
+        // has a second fragment marker
+        return false
+      }
+      beforeFragment = value.slice(undefined, fragmentPos)
+    } else {
+      beforeFragment = value
+    }
+
+    const schemePos = beforeFragment.indexOf(':')
+    if (schemePos >= 0) {
+      if (!_anyUriSchemePattern.test(beforeFragment.slice(undefined, schemePos))) {
+        // invalid schema
+        return false
+      }
+    }
+
+    // @TODO add more validation according to spec
+
+    return true
   }
 
 }

tests/integration/Serialize.XmlNormalize.test.js

@@ -25,6 +25,7 @@ const { createComplexStructure } = require('../_data/models')
 const { loadNormalizeResult, writeNormalizeResult } = require('../_data/normalize')
 
 const {
+  Models, Enums,
   Serialize: {
     XML: { Normalize: { Factory: XmlNormalizeFactory } }
   },
@@ -73,4 +74,46 @@ describe('Serialize.XmlNormalize', function () {
 
     // TODO add more tests
   }))
+
+  describe('ExternalReference\'s `anyURI`', () => {
+    const normalizer = new XmlNormalizeFactory(Spec1dot4).makeForExternalReference()
+
+    describe('omit invalid', () => {
+      [
+        // only one fragment allowed
+        'foo#bar#baz',
+        // scheme must follow the RFC
+        '[email protected]:peterolson/BigInteger.js.git',
+        'git%40github.com:peterolson/BigInteger.js.git',
+        ':foo-bar'
+      ].forEach(uri => it(`${uri}`, () => {
+        const ref = new Models.ExternalReference(uri, Enums.ExternalReferenceType.Other)
+        const normalized = normalizer.normalize(ref, {}, 'ref')
+        assert.strictEqual(normalized, undefined)
+      }))
+    })
+    describe('render valid', () => {
+      [
+        'https://github.com/peterolson/BigInteger.js.git',
+        'git+ssh:[email protected]:peterolson/BigInteger.js.git',
+        'example.com:8080/foo/bar',
+        'foo#bar',
+        '[email protected]',
+        'g#[email protected]:peterolson/BigInteger.js.git'
+      ].forEach(uri => it(`${uri}`, () => {
+        const ref = new Models.ExternalReference(uri, Enums.ExternalReferenceType.Other)
+        const normalized = normalizer.normalize(ref, {}, 'ref')
+        assert.deepStrictEqual(normalized, {
+          type: 'element',
+          name: 'ref',
+          attributes: { type: 'other' },
+          children: [{
+            type: 'element',
+            name: 'url',
+            children: uri
+          }]
+        })
+      }))
+    })
+  })
 })