#1557 added check for encoded ':'s

jdaigneau5 · jdaigneau5 · commit 04c04252e7ff · 2025-10-22T13:14:36.000-04:00
diff --git a/src/controller/cve.controller/cve.middleware.js b/src/controller/cve.controller/cve.middleware.js
@@ -218,12 +218,20 @@ function purlValidateHelper (affected) {
     if (purlObj.version !== undefined) {
       throw new Error('The PURL version component is currently not supported by the CVE schema: ' + purlStr)
     }
+
+    // Check for versions within qualifiers
     if (purlObj.qualifiers !== undefined) {
       if (Object.keys(purlObj.qualifiers).includes('vers')) {
         throw new Error('PURL versions are currently not supported by the CVE schema: ' + purlStr)
       }
     }
 
+    // PackageURL does not properly prevent encoded ':', so check for that here
+    const encColon = /%3a/i
+    if (encColon.test(purlStr)) {
+      throw new Error('Percent-encoded colons are not allowed in a PURL: ' + purlStr)
+    }
+
     // PackageURL does not properly account for certain Subpath situations
     // so adding additional validation to account for them
     // Handles PURLs that include a # but no subpath
