PackageURL type not being validated

[benmss]

The PackageURL spec includes a list of requirements for a type to be considered valid:

• The package type is composed only of ASCII letters and numbers, '.', '+' and '-' (period, plus, and dash)

• The type cannot start with a number

Therefore, the following should not be possible:

PackageURL.from_string("pkg:111_^5/example")
PackageURL(type='111_^5', namespace=None, name='example', version=None, qualifiers={}, subpath=None)

Spec taken from: https://github.com/package-url/purl-spec/blob/master/PURL-SPECIFICATION.rst

[kdeldycke]

This issue is addressed by the #188 PR.

[armijnhemel]

related: #229

[armijnhemel]

This seems to be a much more structural problem, see #229 and #228 for more examples. Input validation is apparently difficult to do.

[pombredanne]

The library has been originally designed to be flexible when parsing. There is a separate set of validation methods (validate and validate_string)

[armijnhemel]

This one seems to have been fixed?

>>> packageurl.PackageURL.from_string("pkg:111_^5/example")
Traceback (most recent call last):
  File "<python-input-68>", line 1, in <module>
    packageurl.PackageURL.from_string("pkg:111_^5/example")
    ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^^^^^^^^
  File "/nix/store/v3mx6lav0f5w28qg1q1qzb52lmva7dbz-python3-3.13.12-env/lib/python3.13/site-packages/packageurl/__init__.py", line 603, in from_string
    raise ValueError(
        f"purl type must be composed only of ASCII letters and numbers, period, dash and underscore: {type_!r}."
    )
ValueError: purl type must be composed only of ASCII letters and numbers, period, dash and underscore: '111_^5'.