Add validation to maven package version
What does this MR do?
Description
The Maven Package version does not have validation new a new package is persisted in the database. This MR solves this issue by adding active record validations to the version when a maven package is created.
Proposed solution
Following the suggestion and possible regexp in #214429 (closed) with the version format in the maven version doc.
The regex is currently been used is slightly different from the possible regex given in #214429, this is because the following valid examples from maven version doc did not match the possible regex:%r{\A(\d+)(\.\d+)(\.\d+)$|^(\d+)(\.\d+)$|^(\d+)(\.\d+)(-.+)$|^(\d+)(\.\d+)(\.\d+)(-.+)\z}.freeze
1.4.2-1212.1.2-0-0
and the version like 1, 3 matches this regex which I think is invalid versions.
The regex currently used ensures that the examples of valid versions are matched.
Updates
!32925 (comment 348791023)
After further discussion with @10io we agreed on using a different regex that:
\A[1-9]\d*\.\d+\.\d+\z|\A[1-9]\d*\.\d+\z|\A[1-9]\d*\z|\A[1-9]\d*\.\d+-.+\z|\A[1-9]\d*-.+\z|\A[1-9]\d*\.\d+\.\d+-.+\z- Matches values single-digit version like
1,4,12. More details in !32925 (comment 348791023) - Remove the capturing groups. Since it's not needed.
- Replace
^with\Aand$with\z. As it is to be coherent with the other regexps in the file. - Does not match versions that start with
0, for example, - Matches versions that include
0but does to starts with0. Example of invalid versions are01,03.2, etc, while valid versions are10,20.2,30.4.5, etc
!32925 (comment 349988242)
Following a review from @splattael, we agreed on reworking the regex and not supporting versions that are non-starndard according to the documentation https://docs.oracle.com/middleware/1212/core/MAVEN/maven_version.htm#MAVEN8855
\A[1-9]\d*(\.\d+(\.\d+)?)?(-\w+)*\z!32925 (comment 350660155)
After testing the above regex with existing versions and got a list of 20k+ rejected versions, the regex is changed to accommodate more versions. To keep things as compatible as possible, we allow any char except / and % and reject any whitespace char
\A[^\/%\s]+\z!32925 (comment 358086694)
Following security review from @vdesousa we change the regex to follow a whitelisting approach and reject versions that start with .., this result to 6 rejected exiting versions. Which a documentation is added in the Maven Repository about it in !32925 (b8b01ce2)
The below regex is the currently used regex
\A(\.?[\w\+-]+\.?)+\zScreenshots
Does this MR meet the acceptance criteria?
Conformity
-
Changelog entry -
Documentation (if required) -
Code review guidelines -
Merge request performance guidelines -
Style guides - [-] Database guides
- [-] Separation of EE specific content
Availability and Testing
-
Review and add/update tests for this feature/bug. Consider all test levels. See the Test Planning Process. - [-] Tested in all supported browsers
- [-] Informed Infrastructure department of a default or new setting change, if applicable per definition of done
Security
If this MR contains changes to processing or storing of credentials or tokens, authorization and authentication methods and other items described in the security review guidelines:
-
Label as security and @ mention @gitlab-com/gl-security/appsec -
The MR includes necessary changes to maintain consistency between UI, API, email, or other methods -
Security reports checked/validated by a reviewer from the AppSec team