fix: make sure relative paths are checked correctly

bfabio · bfabio · commit 2a5c386345b7 · 2025-09-04T17:43:49.000+02:00
logo, monochromeLogo, authorsFile and screenshots are supposed to
be either relative paths or HTTP URLs.
diff --git a/fields.go b/fields.go
@@ -3,6 +3,7 @@ package publiccode
 import (
 	"fmt"
 	"net/url"
+	"strings"
 
 	"github.com/alranel/go-vcsurl/v2"
 	urlutil "github.com/italia/publiccode-parser-go/v4/internal"
@@ -47,26 +48,32 @@ func validateFieldsV0(publiccode PublicCode, parser Parser, network bool) error
 	}
 
 	if publiccodev0.Logo != "" {
-		if validLogo, err := parser.validLogo(toCodeHostingURL(publiccodev0.Logo, parser.baseURL), network); !validLogo {
+		if _, err := isRelativePathOrURL(publiccodev0.Logo, "logo"); err != nil {
+			vr = append(vr, err)
+		} else if validLogo, err := parser.validLogo(toCodeHostingURL(publiccodev0.Logo, parser.baseURL), network); !validLogo {
 			vr = append(vr, newValidationError("logo", err.Error()))
 		}
 	}
 
 	if publiccodev0.MonochromeLogo != "" {
 		vr = append(vr, ValidationWarning{"monochromeLogo", "This key is DEPRECATED and will be removed in the future", 0, 0})
 
-		if validLogo, err := parser.validLogo(toCodeHostingURL(publiccodev0.MonochromeLogo, parser.baseURL), network); !validLogo {
+		if _, err := isRelativePathOrURL(publiccodev0.MonochromeLogo, "monochromeLogo"); err != nil {
+			vr = append(vr, err)
+		} else if validLogo, err := parser.validLogo(toCodeHostingURL(publiccodev0.MonochromeLogo, parser.baseURL), network); !validLogo {
 			vr = append(vr, newValidationError("monochromeLogo", err.Error()))
 		}
 	}
 
 	if publiccodev0.Legal.AuthorsFile != nil {
 		vr = append(vr, ValidationWarning{"legal.authorsFile", "This key is DEPRECATED and will be removed in the future", 0, 0})
 
-		if !parser.fileExists(toCodeHostingURL(*publiccodev0.Legal.AuthorsFile, parser.baseURL), network) {
+		if _, err := isRelativePathOrURL(*publiccodev0.Legal.AuthorsFile, "legal.authorsFile"); err != nil {
+			vr = append(vr, err)
+		} else if exists, err := parser.fileExists(toCodeHostingURL(*publiccodev0.Legal.AuthorsFile, parser.baseURL), network); !exists {
 			u := toCodeHostingURL(*publiccodev0.Legal.AuthorsFile, parser.baseURL)
 
-			vr = append(vr, newValidationError("legal.authorsFile", "'%s' does not exist", urlutil.DisplayURL(&u)))
+			vr = append(vr, newValidationError("legal.authorsFile", "'%s' does not exist: %s", urlutil.DisplayURL(&u), err.Error()))
 		}
 	}
 
@@ -109,9 +116,12 @@ func validateFieldsV0(publiccode PublicCode, parser Parser, network bool) error
 		}
 
 		for i, v := range desc.Screenshots {
-			if isImage, err := parser.isImageFile(toCodeHostingURL(v, parser.baseURL), network); !isImage {
+			keyName := fmt.Sprintf("description.%s.screenshots[%d]", lang, i)
+			if _, err := isRelativePathOrURL(v, keyName); err != nil {
+				vr = append(vr, err)
+			} else if isImage, err := parser.isImageFile(toCodeHostingURL(v, parser.baseURL), network); !isImage {
 				vr = append(vr, newValidationError(
-					fmt.Sprintf("description.%s.screenshots[%d]", lang, i),
+					keyName,
 					"'%s' is not an image: %s", v, err.Error(),
 				))
 			}
@@ -134,3 +144,19 @@ func validateFieldsV0(publiccode PublicCode, parser Parser, network bool) error
 
 	return vr
 }
+
+// isRelativePathOrURL checks whether the field contains either a relative filename
+// or an HTTP URL
+//
+//nolint:unparam
+func isRelativePathOrURL(content string, keyName string) (bool, error) {
+	if strings.HasPrefix(content, "/") {
+		return false, newValidationError(keyName, "is an absolute path. Only relative paths or HTTP(s) URLs allowed")
+	}
+
+	if strings.HasPrefix(content, "file:") {
+		return false, newValidationError(keyName, "is a file:// URL. Only relative paths or HTTP(s) URLs allowed")
+	}
+
+	return true, nil
+}
diff --git a/parser_test.go b/parser_test.go
@@ -250,7 +250,19 @@ func TestInvalidTestcasesV0(t *testing.T) {
 			ValidationError{"logo", "invalid file extension for: https://raw.githubusercontent.com/italia/developers.italia.it/main/logo.mpg", 18, 1},
 		},
 		"logo_missing_file.yml": ValidationResults{
-			ValidationError{"logo", "no such file: https://raw.githubusercontent.com/italia/developers.italia.it/main/no_such_file.png", 18, 1},
+			ValidationError{"logo", "HTTP GET failed for https://raw.githubusercontent.com/italia/developers.italia.it/main/no_such_file.png: not found", 18, 1},
+		},
+		"logo_absolute_path.yml": ValidationResults{
+			ValidationError{"logo", "is an absolute path. Only relative paths or HTTP(s) URLs allowed", 18, 1},
+		},
+		"logo_file_scheme.yml": ValidationResults{
+			ValidationError{"logo", "is a file:// URL. Only relative paths or HTTP(s) URLs allowed", 18, 1},
+		},
+		"logo_file_scheme2.yml": ValidationResults{
+			ValidationError{"logo", "is a file:// URL. Only relative paths or HTTP(s) URLs allowed", 18, 1},
+		},
+		"logo_file_scheme3.yml": ValidationResults{
+			ValidationError{"logo", "is a file:// URL. Only relative paths or HTTP(s) URLs allowed", 18, 1},
 		},
 
 		// monochromeLogo
@@ -268,7 +280,7 @@ func TestInvalidTestcasesV0(t *testing.T) {
 		},
 		"monochromeLogo_missing_file.yml": ValidationResults{
 			ValidationWarning{"monochromeLogo", "This key is DEPRECATED and will be removed in the future", 18, 1},
-			ValidationError{"monochromeLogo", "no such file: https://raw.githubusercontent.com/italia/developers.italia.it/main/no_such_file.png", 18, 1},
+			ValidationError{"monochromeLogo", "HTTP GET failed for https://raw.githubusercontent.com/italia/developers.italia.it/main/no_such_file.png: not found", 18, 1},
 		},
 
 		// inputTypes
@@ -427,7 +439,7 @@ func TestInvalidTestcasesV0(t *testing.T) {
 		"description_en_screenshots_missing_file.yml": ValidationResults{
 			ValidationError{
 				"description.en.screenshots[0]",
-				"'no_such_file.png' is not an image: no such file : https://raw.githubusercontent.com/italia/developers.italia.it/main/no_such_file.png",
+				"'no_such_file.png' is not an image: HTTP GET failed for https://raw.githubusercontent.com/italia/developers.italia.it/main/no_such_file.png: not found",
 				20,
 				5,
 			},
@@ -463,7 +475,7 @@ func TestInvalidTestcasesV0(t *testing.T) {
 			},
 			ValidationError{
 				"legal.authorsFile",
-				"'https://raw.githubusercontent.com/italia/developers.italia.it/main/no_such_authors_file.txt' does not exist",
+				"'https://raw.githubusercontent.com/italia/developers.italia.it/main/no_such_authors_file.txt' does not exist: HTTP GET failed for https://raw.githubusercontent.com/italia/developers.italia.it/main/no_such_authors_file.txt: not found",
 				42,
 				3,
 			},
diff --git a/testdata/v0/invalid/logo_absolute_path.yml b/testdata/v0/invalid/logo_absolute_path.yml
@@ -0,0 +1,54 @@
+publiccodeYmlVersion: "0.4"
+
+name: Medusa
+url: "https://github.com/italia/developers.italia.it.git"
+releaseDate: "2017-04-15"
+
+platforms:
+  - web
+
+categories:
+  - cloud-management
+
+developmentStatus: development
+
+softwareType: "standalone/other"
+
+# Should NOT validate: it's an absolute path. logo must be either an HTTP URL or a relative path
+logo: "/logo.png"
+
+description:
+  en:
+    localisedName: Medusa
+    shortDescription: >
+      A rather short description which
+      is probably useless
+    longDescription: >
+      Very long description of this software, also split
+      on multiple rows. You should note what the software
+      is and why one should need it. This is 158 characters.
+      Very long description of this software, also split
+      on multiple rows. You should note what the software
+      is and why one should need it. This is 316 characters.
+      Very long description of this software, also split
+      on multiple rows. You should note what the software
+      is and why one should need it. This is 474 characters.
+      Very long description of this software, also split
+      on multiple rows. You should note what the software
+      is and why one should need it. This is 632 characters.
+    features:
+      - Just one feature
+
+legal:
+  license: AGPL-3.0-or-later
+
+maintenance:
+  type: "community"
+
+  contacts:
+    - name: Francesco Rossi
+
+localisation:
+  localisationReady: true
+  availableLanguages:
+    - en
diff --git a/testdata/v0/invalid/logo_file_scheme.yml b/testdata/v0/invalid/logo_file_scheme.yml
@@ -0,0 +1,54 @@
+publiccodeYmlVersion: "0.4"
+
+name: Medusa
+url: "https://github.com/italia/developers.italia.it.git"
+releaseDate: "2017-04-15"
+
+platforms:
+  - web
+
+categories:
+  - cloud-management
+
+developmentStatus: development
+
+softwareType: "standalone/other"
+
+# Should NOT validate: it has a "file:" scheme. logo must be either an HTTP URL or a relative path
+logo: "file:///logo.png"
+
+description:
+  en:
+    localisedName: Medusa
+    shortDescription: >
+      A rather short description which
+      is probably useless
+    longDescription: >
+      Very long description of this software, also split
+      on multiple rows. You should note what the software
+      is and why one should need it. This is 158 characters.
+      Very long description of this software, also split
+      on multiple rows. You should note what the software
+      is and why one should need it. This is 316 characters.
+      Very long description of this software, also split
+      on multiple rows. You should note what the software
+      is and why one should need it. This is 474 characters.
+      Very long description of this software, also split
+      on multiple rows. You should note what the software
+      is and why one should need it. This is 632 characters.
+    features:
+      - Just one feature
+
+legal:
+  license: AGPL-3.0-or-later
+
+maintenance:
+  type: "community"
+
+  contacts:
+    - name: Francesco Rossi
+
+localisation:
+  localisationReady: true
+  availableLanguages:
+    - en
diff --git a/testdata/v0/invalid/logo_file_scheme2.yml b/testdata/v0/invalid/logo_file_scheme2.yml
@@ -0,0 +1,54 @@
+publiccodeYmlVersion: "0.4"
+
+name: Medusa
+url: "https://github.com/italia/developers.italia.it.git"
+releaseDate: "2017-04-15"
+
+platforms:
+  - web
+
+categories:
+  - cloud-management
+
+developmentStatus: development
+
+softwareType: "standalone/other"
+
+# Should NOT validate: it has a (invalid) "file:" scheme. logo must be either an HTTP URL or a relative path
+logo: "file://logo.png"
+
+description:
+  en:
+    localisedName: Medusa
+    shortDescription: >
+      A rather short description which
+      is probably useless
+    longDescription: >
+      Very long description of this software, also split
+      on multiple rows. You should note what the software
+      is and why one should need it. This is 158 characters.
+      Very long description of this software, also split
+      on multiple rows. You should note what the software
+      is and why one should need it. This is 316 characters.
+      Very long description of this software, also split
+      on multiple rows. You should note what the software
+      is and why one should need it. This is 474 characters.
+      Very long description of this software, also split
+      on multiple rows. You should note what the software
+      is and why one should need it. This is 632 characters.
+    features:
+      - Just one feature
+
+legal:
+  license: AGPL-3.0-or-later
+
+maintenance:
+  type: "community"
+
+  contacts:
+    - name: Francesco Rossi
+
+localisation:
+  localisationReady: true
+  availableLanguages:
+    - en
diff --git a/testdata/v0/invalid/logo_file_scheme3.yml b/testdata/v0/invalid/logo_file_scheme3.yml
@@ -0,0 +1,54 @@
+publiccodeYmlVersion: "0.4"
+
+name: Medusa
+url: "https://github.com/italia/developers.italia.it.git"
+releaseDate: "2017-04-15"
+
+platforms:
+  - web
+
+categories:
+  - cloud-management
+
+developmentStatus: development
+
+softwareType: "standalone/other"
+
+# Should NOT validate: it has a (invalid) "file:" scheme. logo must be either an HTTP URL or a relative path
+logo: "file:/logo.png"
+
+description:
+  en:
+    localisedName: Medusa
+    shortDescription: >
+      A rather short description which
+      is probably useless
+    longDescription: >
+      Very long description of this software, also split
+      on multiple rows. You should note what the software
+      is and why one should need it. This is 158 characters.
+      Very long description of this software, also split
+      on multiple rows. You should note what the software
+      is and why one should need it. This is 316 characters.
+      Very long description of this software, also split
+      on multiple rows. You should note what the software
+      is and why one should need it. This is 474 characters.
+      Very long description of this software, also split
+      on multiple rows. You should note what the software
+      is and why one should need it. This is 632 characters.
+    features:
+      - Just one feature
+
+legal:
+  license: AGPL-3.0-or-later
+
+maintenance:
+  type: "community"
+
+  contacts:
+    - name: Francesco Rossi
+
+localisation:
+  localisationReady: true
+  availableLanguages:
+    - en
diff --git a/validations.go b/validations.go
