Snapcraft

Snap names regexes are inconsistent or too permissive

Bug #1763048 reported by Natalia Bidart
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical Click Reviewers tools (obsolete)
Fix Released
Undecided
Unassigned
Snap Store Server
Fix Released
Undecided
Unassigned
Snapcraft
Incomplete
Undecided
Unassigned
snapd
Fix Released
Medium
Unassigned

Bug Description

Currently, the store restricts snap names to comply with:

package_name_re_str = r'^[a-z0-9-]*[a-z][a-z0-9-]*$'

The regex above allows snap names of one single char (even '-') being registered.

The reviewer tools allow for: r'^[a-z0-9-]*[a-z][a-z0-9-]*$' plus some extra checks (see check_name method in https://bazaar.launchpad.net/~store-reviewers/click-reviewers-tools/trunk/view/head:/clickreviews/sr_lint.py#L173)

Snapd allow for: the same regex than the store plus some extra checks, see https://github.com/snapcore/snapd/blob/master/snap/validate.go#L40

Snapcraft does not seem to enforce any regex (or I couldn't find one) -- I think we can leave this as is.

We want to ensure snapd, c-r-t and the store are consistent and do not allow one-char snap names being registered, nor having - at the beginning or end of a name, nor -- in it (similar to what snapd does but also restricting the min length).

Revision history for this message
John Lenton (chipaca) wrote :

Just to be clear, at the time of writing all projects do the same check: they check that regexp, and that it neither starts nor ends with a dash, nor contains a double dash, nor is longer than 40 characters. The rationale for doing it like this instead of with a single regexp is well documented in the projects themselves; for example, from snapd:

// the full regexp we could use, "^(?:[a-z0-9]+-?)*[a-z](?:-?[a-z0-9])*$", is
// O(2ⁿ) on the length of the string in python. An equivalent regexp that
// doesn't have the nested quantifiers that trip up Python's re would be
// "^(?:[a-z0-9]|(?<=[a-z0-9])-)*[a-z](?:[a-z0-9]|-(?=[a-z0-9]))*$", but Go's
// regexp package doesn't support look-aheads nor look-behinds, so in order to
// have a unified implementation in the Go and Python bits of the project
// we're doing it this way instead. Check the length (if applicable), check
// this regexp, then check the dashes.

Revision history for this message
Sergio Schvezov (sergiusens) wrote :

Isn't this a dup of LP: #1751447 ?

Changed in snapcraft:
status: New → Incomplete
Revision history for this message
John Lenton (chipaca) wrote :

Sergio, I left it open because this one explicitly mentions min length, which I think we're not checking.

Revision history for this message
Jamie Strandboge (jdstrand) wrote :

The minimum length check is now implemented in trunk.

Changed in click-reviewers-tools:
status: New → Fix Released
Revision history for this message
Michael Vogt (mvo) wrote :

The snapd "ValidateName" code checks for length since 362784dc523520b8257450664a76f507dc28a4e0

Min len of 2 check is added in https://github.com/snapcore/snapd/pull/6154

Changed in snapd:
status: New → In Progress
importance: Undecided → Medium
Bret Barker (noise)
Changed in snapstore:
status: New → Fix Released
Revision history for this message
Zygmunt Krynicki (zyga) wrote :

Since the minimum length check has been merged into snapd I'm marking the task as fix released (it was released since the commit was merged).

Changed in snapd:
status: In Progress → Fix Released
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.