Re: [PR] reject dot-dot segments in grape coordinate validation [groovy]

Wed, 03 Jun 2026 00:45:37 -0700 


Copilot commented on code in PR #2584:
URL: https://github.com/apache/groovy/pull/2584#discussion_r3346760211


##########
subprojects/groovy-grape-ivy/src/test/groovy/groovy/grape/ivy/GrapeIvyTest.groovy:
##########
@@ -426,6 +426,24 @@ final class GrapeIvyTest {
         assert ex.message.contains('should not contain any of')
     }
 
+    @Test
+    void testInvalidVersionDotDot() {
+        def ex = shouldFail '''
+            groovy.grape.Grape.grab(group: 'org.ejml', module: 'ejml-simple', 
version: '..')
+        '''
+        assert ex.message.contains('for version')
+        assert ex.message.contains("should not contain '..'")
+    }
+
+    @Test
+    void testInvalidGroupDotDot() {
+        def ex = shouldFail '''
+            groovy.grape.Grape.grab(group: '..', module: 'ejml-simple', 
version: '0.41')
+        '''
+        assert ex.message.contains('for group')
+        assert ex.message.contains("should not contain '..'")
+    }

Review Comment:
   The new '..' validation applies to all coordinate components (including 
`module`), but the added tests only cover `version` and `group`. Adding a 
`module: '..'` regression test would better lock in the intended behavior and 
prevent future refactors from accidentally limiting the check to only 
version/group keys.



##########
subprojects/groovy-grape-maven/src/main/groovy/groovy/grape/maven/GrapeMaven.groovy:
##########
@@ -586,6 +586,9 @@ class GrapeMaven implements GrapeEngine {
                         throw new RuntimeException("Grab: invalid value of 
'$v' for $k: should only contain - . _ a-z A-Z 0-9")
                     }
                 }
+                if (v.toString().contains('..')) {
+                    throw new RuntimeException("Grab: invalid value of '$v' 
for $k: should not contain '..'")
+                }

Review Comment:
   `GrapeMaven.createGrabRecord` now rejects values containing '..', but there 
is no Maven-engine regression test ensuring `group`/`module`/`version` dot-dot 
values are rejected. Since Grape has two engines (Ivy and Maven) and this check 
is security-relevant, it would be good to add an equivalent test in the 
groovy-grape-maven test suite (e.g., in `GrapeMavenTest`).



-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to