language-servers/roc
1
0
Fork 0
mirror of https://github.com/roc-lang/roc.git synced 2025-08-03 19:58:18 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

Provide a better explanation to the motivation for disalowing misleading characters

Browse source 
Contributes to #5487
This commit is contained in:
Fábio Beirão 2023-05-31 21:37:50 +02:00
parent a557738791
commit d633fbf89f
No known key found for this signature in database
GPG key ID: 13FD3A2130278AAE
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
crates/packaging/src/https.rs
View file

@ -30,7 +30,13 @@ pub struct PackageMetadata<'a> {
/// - .tar.br
const VALID_EXTENSION_SUFFIXES: [&str; 2] = [".gz", ".br"];
/// Characters that could be misleading if present in URLs:
/// Since the TLD (top level domain) `.zip` is now available, there is a new attack
/// vector where malicous URLs can be used to confuse the reader.
/// Example of a URL which would take you to example.zip:
/// https://github.comkuberneteskubernetesarchiverefstags@example.zip
/// roc employs a checksum mechanism to prevent tampering with packages.
/// Nevertheless we should avoid such issues earlier.
/// You can read more here: https://medium.com/@bobbyrsec/the-dangers-of-googles-zip-tld-5e1e675e59a5
///
/// @ - For now we avoid usage of the @, to avoid the "tld zip" attack vector
/// - U+2044 Fraction Slash