Possible bug in isTargetInPathPattern

[adityasaky]

The implementation for this helper is here:

go-tuf/metadata/metadata.go

Lines 535 to 554 in 9d57731

	// Determine whether “targetpath“ matches the “pathpattern“.
	func isTargetInPathPattern(targetpath string, pathpattern string) bool {
	// We need to make sure that targetpath and pathpattern are pointing to
	// the same directory as fnmatch doesn't threat "/" as a special symbol.
	targetParts := strings.Split(targetpath, "/")
	patternParts := strings.Split(pathpattern, "/")
	if len(targetParts) != len(patternParts) {
	return false
	}
	// Every part in the pathpattern could include a glob pattern, that's why
	// each of the target and pathpattern parts should match.
	for i := 0; i < len(targetParts); i++ {
	if ok, _ := filepath.Match(patternParts[i], targetParts[i]); !ok {
	return false
	}
	}
	return true
	}

If I'm reading this right, this helper is responsible for identifying if a delegation pattern matches a target path. However, it incorrectly says a pattern like foo/* does not match foo/bar/foobar.txt. The same pattern does correctly match foo/foobar.txt. This is because both the pattern and the target path are split into their components using the separator, and if they don't have the same number of components, the helper returns false.

See: https://go.dev/play/p/6Mswjm_fM-4

[adityasaky]

After a discussion with @rdimitrov, @trishankatdatadog, and @mnm678, this is not an issue but likely deserving of some further clarification in the docs and in the TUF spec. See: https://theupdateframework.github.io/specification/latest/index.html#file-formats-targets for a description of how patterns work.

I'm going to submit some updated text to the specification, but this issue can be closed. :)

[trishankatdatadog]

IOW, the current behaviour is intended to be a feature not a bug in TUF 🙂