Align HTTP basic auth regex of EnhancedURLValidator with Django's URLValidator #21720
Description
NetBox version
v4.5.5
Feature type
Change to existing functionality
Proposed functionality
The EnhancedURLValidator currently uses \S+(?:\S*)? for matching HTTP basic authentication in URLs. This is more permissive than Django's upstream URLValidator, which uses [^\s:@/]+(?::[^\s:@/]*)? (explicitly excluding :, @, and / from the user and password segments).
I'd like to propose aligning NetBox's auth regex with Django's stricter pattern to prevent ambiguous or malformed URLs from passing validation.
Specifically, in netbox/utilities/validators.py:
# Current
r'(?:\S+(?:\S*)?@)?'
# Proposed
r'(?:[^\s:@/]+(?::[^\s:@/]*)?@)?'Since this tightens what's considered valid, some previously accepted URLs with unusual characters in the auth portion would be rejected. This makes it a breaking change best suited for a minor release.
Use case
The current permissive pattern can match URLs that are technically malformed. For example, URLs where :, @, or / appear unexpectedly in the credentials portion. Aligning with Django's pattern improves input validation reliability and reduces the chance of downstream issues when URLs are parsed by other tools or libraries.
Database changes
None.
External dependencies
None.