fix: don't encode ':' or '/' as part of the canonical representation

dwalluck · dwalluck · commit b6482d2bc0c1 · 2025-03-19T09:33:10.000-04:00
This makes the Java canonical representation match the majority of other implementations. Fixes package-url#122 Fixes package-url#92
diff --git a/src/main/java/com/github/packageurl/PackageURL.java b/src/main/java/com/github/packageurl/PackageURL.java
@@ -29,6 +29,7 @@
 import java.nio.ByteBuffer;
 import java.nio.charset.StandardCharsets;
 import java.util.Arrays;
+import java.util.BitSet;
 import java.util.Collections;
 import java.util.Map;
 import java.util.Objects;
@@ -60,6 +61,93 @@ public final class PackageURL implements Serializable {
 
     private static final char PERCENT_CHAR = '%';
 
+    private static final int NBITS = 128;
+
+    private static final BitSet DIGIT = new BitSet(NBITS);
+
+    static {
+        for (int i = '0'; i <= '9'; i++) {
+            DIGIT.set(i);
+        }
+    }
+
+    private static final BitSet LOWER = new BitSet(NBITS);
+
+    static {
+        for (int i = 'a'; i <= 'z'; i++) {
+            LOWER.set(i);
+        }
+    }
+
+    private static final BitSet UPPER = new BitSet(NBITS);
+
+    static {
+        for (int i = 'A'; i <= 'Z'; i++) {
+            UPPER.set(i);
+        }
+    }
+
+    private static final BitSet ALPHA = new BitSet(NBITS);
+
+    static {
+        ALPHA.or(LOWER);
+        ALPHA.or(UPPER);
+    }
+
+    private static final BitSet ALPHA_DIGIT = new BitSet(NBITS);
+
+    static {
+        ALPHA_DIGIT.or(ALPHA);
+        ALPHA_DIGIT.or(DIGIT);
+    }
+
+    private static final BitSet UNRESERVED = new BitSet(NBITS);
+
+    static {
+        UNRESERVED.or(ALPHA_DIGIT);
+        UNRESERVED.set('-');
+        UNRESERVED.set('.');
+        UNRESERVED.set('_');
+        UNRESERVED.set('~');
+    }
+
+    private static final BitSet SUB_DELIMS = new BitSet(NBITS);
+
+    static {
+        SUB_DELIMS.set('!');
+        SUB_DELIMS.set('$');
+        SUB_DELIMS.set('&');
+        SUB_DELIMS.set('\'');
+        SUB_DELIMS.set('(');
+        SUB_DELIMS.set(')');
+        SUB_DELIMS.set('*');
+        SUB_DELIMS.set('+');
+        SUB_DELIMS.set(',');
+        SUB_DELIMS.set(';');
+        SUB_DELIMS.set('=');
+    }
+
+    private static final BitSet PCHAR = new BitSet(NBITS);
+
+    static {
+        PCHAR.or(UNRESERVED);
+        PCHAR.or(SUB_DELIMS);
+        PCHAR.set(':');
+        // PCHAR.set('@'); Always encode '@' in the path due to version
+    }
+
+    private static final BitSet QUERY = new BitSet(NBITS);
+
+    static {
+        QUERY.or(PCHAR);
+        QUERY.set('/');
+        // QUERY.set('?');
+        QUERY.clear('&');
+        QUERY.clear('=');
+    }
+
+    private static final BitSet FRAGMENT = QUERY;
+
     /**
      * Constructs a new PackageURL object by parsing the specified string.
      *
@@ -498,12 +586,12 @@ private String canonicalize(boolean coordinatesOnly) {
         final StringBuilder purl = new StringBuilder();
         purl.append(SCHEME_PART).append(type).append('/');
         if (namespace != null) {
-            purl.append(encodePath(namespace));
+            purl.append(encodePath(namespace, PCHAR));
             purl.append('/');
         }
-        purl.append(percentEncode(name));
+        purl.append(percentEncode(name, PCHAR));
         if (version != null) {
-            purl.append('@').append(percentEncode(version));
+            purl.append('@').append(percentEncode(version, PCHAR));
         }
 
         if (!coordinatesOnly) {
@@ -517,23 +605,27 @@ private String canonicalize(boolean coordinatesOnly) {
                     }
                     purl.append(entry.getKey());
                     purl.append('=');
-                    purl.append(percentEncode(entry.getValue()));
+                    purl.append(percentEncode(entry.getValue(), QUERY));
                     separator = true;
                 }
             }
             if (subpath != null) {
-                purl.append('#').append(encodePath(subpath));
+                purl.append('#').append(encodePath(subpath, FRAGMENT));
             }
         }
         return purl.toString();
     }
 
-    private static boolean isUnreserved(int c) {
-        return (isValidCharForKey(c) || c == '~');
+    private static boolean isUnreserved(int c, BitSet safe) {
+        if (c < 0 || c >= NBITS) {
+            return false;
+        }
+
+        return safe.get(c);
     }
 
-    private static boolean shouldEncode(int c) {
-        return !isUnreserved(c);
+    private static boolean shouldEncode(int c, BitSet safe) {
+        return !isUnreserved(c, safe);
     }
 
     private static boolean isAlpha(int c) {
@@ -598,14 +690,14 @@ private static int indexOfPercentChar(final byte[] bytes, final int start) {
                 .orElse(-1);
     }
 
-    private static int indexOfUnsafeChar(final byte[] bytes, final int start) {
+    private static int indexOfUnsafeChar(final byte[] bytes, final int start, BitSet safe) {
         return IntStream.range(start, bytes.length)
-                .filter(i -> shouldEncode(bytes[i]))
+                .filter(i -> shouldEncode(bytes[i], safe))
                 .findFirst()
                 .orElse(-1);
     }
 
-    private static byte percentDecode(final byte[] bytes, final int start) {
+    static byte percentDecode(final byte[] bytes, final int start) {
         if (start + 2 >= bytes.length) {
             throw new ValidationException("Incomplete percent encoding at offset " + start + " with value '"
                     + new String(bytes, start, bytes.length - start, StandardCharsets.UTF_8) + "'");
@@ -638,15 +730,15 @@ public static String percentDecode(final String source) {
         }
 
         byte[] bytes = source.getBytes(StandardCharsets.UTF_8);
-
-        int off = 0;
-        int idx = indexOfPercentChar(bytes, off);
+        int idx = indexOfPercentChar(bytes, 0);
 
         if (idx == -1) {
             return source;
         }
 
+        int off = idx;
         ByteBuffer buffer = ByteBuffer.wrap(bytes);
+        buffer.position(off);
 
         while (true) {
             int len = idx - off;
@@ -690,14 +782,18 @@ private static byte[] percentEncode(byte b) {
     }
 
     public static String percentEncode(final String source) {
+        return percentEncode(source, UNRESERVED);
+    }
+
+    private static String percentEncode(final String source, final BitSet safe) {
         if (source.isEmpty()) {
             return source;
         }
 
         byte[] bytes = source.getBytes(StandardCharsets.UTF_8);
 
         int off = 0;
-        int idx = indexOfUnsafeChar(bytes, off);
+        int idx = indexOfUnsafeChar(bytes, off, safe);
 
         if (idx == -1) {
             return source;
@@ -714,7 +810,7 @@ public static String percentEncode(final String source) {
             }
 
             buffer.put(percentEncode(bytes[off++]));
-            idx = indexOfUnsafeChar(bytes, off);
+            idx = indexOfUnsafeChar(bytes, off, safe);
 
             if (idx == -1) {
                 int rem = bytes.length - off;
@@ -883,8 +979,10 @@ private String[] parsePath(final String path, final boolean isSubpath) {
                 .toArray(String[]::new);
     }
 
-    private String encodePath(final String path) {
-        return Arrays.stream(path.split("/")).map(PackageURL::percentEncode).collect(Collectors.joining("/"));
+    private String encodePath(final String path, BitSet safe) {
+        return Arrays.stream(path.split("/"))
+                .map(source -> percentEncode(source, safe))
+                .collect(Collectors.joining("/"));
     }
 
     /**
diff --git a/src/test/resources/test-suite-data.json b/src/test/resources/test-suite-data.json
@@ -86,7 +86,7 @@
   {
     "description": "docker uses qualifiers and hash image id as versions",
     "purl": "pkg:docker/customer/dockerimage@sha256:244fd47e07d1004f0aed9c?repository_url=gcr.io",
-    "canonical_purl": "pkg:docker/customer/dockerimage@sha256%3A244fd47e07d1004f0aed9c?repository_url=gcr.io",
+    "canonical_purl": "pkg:docker/customer/dockerimage@sha256:244fd47e07d1004f0aed9c?repository_url=gcr.io",
     "type": "docker",
     "namespace": "customer",
     "name": "dockerimage",
@@ -110,7 +110,7 @@
   {
     "description": "maven often uses qualifiers",
     "purl": "pkg:Maven/org.apache.xmlgraphics/batik-anim@1.9.1?repositorY_url=repo.spring.io/release&classifier=sources",
-    "canonical_purl": "pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?classifier=sources&repository_url=repo.spring.io%2Frelease",
+    "canonical_purl": "pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?classifier=sources&repository_url=repo.spring.io/release",
     "type": "maven",
     "namespace": "org.apache.xmlgraphics",
     "name": "batik-anim",
@@ -122,7 +122,7 @@
   {
     "description": "maven pom reference",
     "purl": "pkg:Maven/org.apache.xmlgraphics/batik-anim@1.9.1?repositorY_url=repo.spring.io/release&extension=pom",
-    "canonical_purl": "pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?extension=pom&repository_url=repo.spring.io%2Frelease",
+    "canonical_purl": "pkg:maven/org.apache.xmlgraphics/batik-anim@1.9.1?extension=pom&repository_url=repo.spring.io/release",
     "type": "maven",
     "namespace": "org.apache.xmlgraphics",
     "name": "batik-anim",
@@ -314,7 +314,7 @@
   {
     "description": "valid debian purl containing a plus in the name and version",
     "purl": "pkg:deb/debian/g++-10@10.2.1+6",
-    "canonical_purl": "pkg:deb/debian/g%2B%2B-10@10.2.1%2B6",
+    "canonical_purl": "pkg:deb/debian/g++-10@10.2.1+6",
     "type": "deb",
     "namespace": "debian",
     "name": "g++-10",
