fix: removes 64-char limit for url path & query

yozachar · yozachar · commit eadbb221922b · 2023-04-10T17:17:09.000+05:30
- removes IDNA 64-char limit for url path & query - validates absurd quoted url: `http://-.~_!$&'()*+,;=:%40:80%2f::::::@example.com` - updates dependencies and changelog - bumps patch version **Related items** *Issues* - Closes #257
diff --git a/CHANGES.md b/CHANGES.md
@@ -1,5 +1,15 @@
 # Changelog
 
+## 0.21.1 (2023-04-10)
+
+- fix: `source .venv/bin/activate` before build by @joe733 in [#260](https://github.com/python-validators/validators/pull/260)
+- fix: id-token write permission at job level by @joe733 in [#261](https://github.com/python-validators/validators/pull/261)
+- feat: docs can be built with both sphinx & mkdocs by @joe733 in [#262](https://github.com/python-validators/validators/pull/262)
+- fix: improves build process by @joe733 in [#263](https://github.com/python-validators/validators/pull/263)
+- fix: removes 64-char limit for url path & query by @joe733 in [#264](https://github.com/python-validators/validators/pull/264)
+
+**Full Changelog**: [0.21.0...0.21.1](https://github.com/python-validators/validators/compare/0.21.0...0.21.1)
+
 ## 0.21.0 (2023-03-25)
 
 - feat: add build for pypi workflow by @joe733 in [#255](https://github.com/python-validators/validators/pull/255)
diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "validators"
-version = "0.21.0"
+version = "0.21.1"
 description = "Python Data Validation for Humans™"
 authors = ["Konsta Vesterinen <konsta@fastmonkeys.com>"]
 license = "MIT"
@@ -28,16 +28,16 @@ include = ["CHANGES.md", "docs/*", "docs/validators.1", "validators/py.typed"]
 python = "^3.8"
 
 [tool.poetry.group.dev.dependencies]
-tox = "^4.4.8"
+tox = "^4.4.11"
 
 [tool.poetry.group.docs.dependencies]
 mkdocs = "^1.4.2"
-mkdocs-material = "^9.1.4"
+mkdocs-material = "^9.1.6"
 mkdocstrings = { extras = ["python"], version = "^0.20.0" }
 pyaml = "^21.10.1"
 
 [tool.poetry.group.hooks.dependencies]
-pre-commit = "^3.2.1"
+pre-commit = "^3.2.2"
 
 [tool.poetry.group.sast.dependencies]
 bandit = "^1.7.5"
@@ -48,14 +48,14 @@ myst-parser = "^1.0.0"
 pypandoc-binary = "^1.11"
 
 [tool.poetry.group.tests.dependencies]
-pytest = "^7.2.2"
+pytest = "^7.3.0"
 
 [tool.poetry.group.type-lint-format.dependencies]
 black = "^23.1.1"
 flake8 = "^5.0.4"
 flake8-docstrings = "^1.7.0"
 isort = "^5.12.0"
-pyright = "^1.1.301"
+pyright = "^1.1.302"
 
 [build-system]
 requires = ["poetry-core"]
diff --git a/tests/test_url.py b/tests/test_url.py
@@ -83,6 +83,8 @@
         "http://президент.рф/",
         "http://10.24.90.255:83/",
         "https://travel-usa.com/wisconsin/旅行/",
+        "http://:::::::::::::@exmp.com",
+        "http://-.~_!$&'()*+,;=:%40:80%2f::::::@example.com",
         # when simple_host=True
         # "http://localhost",
         # "http://localhost:8000",
diff --git a/validators/__init__.py b/validators/__init__.py
@@ -64,4 +64,4 @@
     "fi_ssn",
 )
 
-__version__ = "0.20.0"
+__version__ = "0.21.1"
diff --git a/validators/url.py b/validators/url.py
@@ -2,7 +2,7 @@
 # -*- coding: utf-8 -*-
 
 # standard
-from urllib.parse import urlsplit
+from urllib.parse import urlsplit, unquote
 from functools import lru_cache
 import re
 
@@ -24,7 +24,15 @@ def _username_regex():
 
 @lru_cache
 def _path_regex():
-    return re.compile(r"^[\/a-zA-Z0-9\-\.\_\~\!\$\&\'\(\)\*\+\,\;\=\:\@\%]+$", re.IGNORECASE)
+    return re.compile(
+        # allowed symbols
+        r"^[\/a-zA-Z0-9\-\.\_\~\!\$\&\'\(\)\*\+\,\;\=\:\@\%"
+        # emoticons / emoji
+        + r"\U0001F600-\U0001F64F"
+        # multilingual unicode ranges
+        + r"\u00A0-\uD7FF\uF900-\uFDCF\uFDF0-\uFFEF]+$",
+        re.IGNORECASE,
+    )
 
 
 @lru_cache
@@ -52,7 +60,9 @@ def _validate_auth_segment(value: str):
     if not value:
         return True
     if (colon_count := value.count(":")) > 1:
-        return False
+        # everything before @ is then considered as a username
+        # this is a bad practice, but syntactically valid URL
+        return _username_regex().match(unquote(value))
     if colon_count < 1:
         return _username_regex().match(value)
     username, password = value.rsplit(":", 1)
@@ -103,9 +113,9 @@ def _validate_optionals(path: str, query: str, fragment: str):
     """Validate path query and fragments."""
     optional_segments = True
     if path:
-        optional_segments &= bool(_path_regex().match(path.encode("idna").decode("utf-8")))
+        optional_segments &= bool(_path_regex().match(path))
     if query:
-        optional_segments &= bool(_query_regex().match(query.encode("idna").decode("utf-8")))
+        optional_segments &= bool(_query_regex().match(query))
     if fragment:
         optional_segments &= all(char_to_avoid not in fragment for char_to_avoid in ("/", "?"))
     return optional_segments

Original file line number	Diff line number	Diff line change
`@@ -64,4 +64,4 @@`
`64`	`64`	`"fi_ssn",`
`65`	`65`	`)`
`66`	`66`
`67`		`-__version__ = "0.20.0"`
	`67`	`+__version__ = "0.21.1"`