Snap names regexes are inconsistent or too permissive

Bug #1763048 reported by Natalia Bidart on 2018-04-11
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
Canonical Click Reviewers tools
Undecided
Unassigned
Snap Store
Undecided
Unassigned
Snapcraft
Undecided
Unassigned
snapd
Undecided
Unassigned

Bug Description

Currently, the store restricts snap names to comply with:

package_name_re_str = r'^[a-z0-9-]*[a-z][a-z0-9-]*$'

The regex above allows snap names of one single char (even '-') being registered.

The reviewer tools allow for: r'^[a-z0-9-]*[a-z][a-z0-9-]*$' plus some extra checks (see check_name method in https://bazaar.launchpad.net/~store-reviewers/click-reviewers-tools/trunk/view/head:/clickreviews/sr_lint.py#L173)

Snapd allow for: the same regex than the store plus some extra checks, see https://github.com/snapcore/snapd/blob/master/snap/validate.go#L40

Snapcraft does not seem to enforce any regex (or I couldn't find one) -- I think we can leave this as is.

We want to ensure snapd, c-r-t and the store are consistent and do not allow one-char snap names being registered, nor having - at the beginning or end of a name, nor -- in it (similar to what snapd does but also restricting the min length).

John Lenton (chipaca) wrote :

Just to be clear, at the time of writing all projects do the same check: they check that regexp, and that it neither starts nor ends with a dash, nor contains a double dash, nor is longer than 40 characters. The rationale for doing it like this instead of with a single regexp is well documented in the projects themselves; for example, from snapd:

// the full regexp we could use, "^(?:[a-z0-9]+-?)*[a-z](?:-?[a-z0-9])*$", is
// O(2ⁿ) on the length of the string in python. An equivalent regexp that
// doesn't have the nested quantifiers that trip up Python's re would be
// "^(?:[a-z0-9]|(?<=[a-z0-9])-)*[a-z](?:[a-z0-9]|-(?=[a-z0-9]))*$", but Go's
// regexp package doesn't support look-aheads nor look-behinds, so in order to
// have a unified implementation in the Go and Python bits of the project
// we're doing it this way instead. Check the length (if applicable), check
// this regexp, then check the dashes.

Sergio Schvezov (sergiusens) wrote :

Isn't this a dup of LP: #1751447 ?

Changed in snapcraft:
status: New → Incomplete
John Lenton (chipaca) wrote :

Sergio, I left it open because this one explicitly mentions min length, which I think we're not checking.

Jamie Strandboge (jdstrand) wrote :

The minimum length check is now implemented in trunk.

Changed in click-reviewers-tools:
status: New → Fix Released
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers