softwareRequirements: Validate values are URL + make isUrl stricter

progval · progval · commit 020eb89e4e37 · 2024-10-25T19:12:07.000+02:00
Without this check, users would be allowed to write free text even though Codemeta
forbids it.

We only noticed this when jsonld.js started rewriting 'foo: bar' to ' bar' because
it was parsing 'foo:' as an invalid URI scheme and stripping it.
diff --git a/cypress/integration/special_fields.js b/cypress/integration/special_fields.js
@@ -1,5 +1,5 @@
 /**
- * Copyright (C) 2020  The Software Heritage developers
+ * Copyright (C) 2020-2024  The Software Heritage developers
  * See the AUTHORS file at the top-level directory of this distribution
  * License: GNU Affero General Public License version 3, or any later version
  * See top-level LICENSE file for more information
@@ -10,6 +10,7 @@
  */
 
 "use strict";
+
 describe('Funder id', function() {
     it('can be exported', function() {
         cy.get('#name').type('My Test Software');
@@ -88,3 +89,91 @@ describe('Funder name', function() {
     });
 });
 
+describe('Software requirements', function() {
+    it('can be exported as multiple values', function() {
+        cy.get('#name').type('My Test Software');
+
+        cy.get('#softwareRequirements').type('https://www.gtk.org\nhttps://github.com/anholt/libepoxy\nhttps://github.com/GNOME/libxml2');
+
+        cy.get('#generateCodemetaV2').click();
+
+        cy.get('#errorMessage').should('have.text', '');
+        cy.get('#codemetaText').then((elem) => JSON.parse(elem.text()))
+            .should('deep.equal', {
+                "@context": "https://doi.org/10.5063/schema/codemeta-2.0",
+                "type": "SoftwareSourceCode",
+                "name": "My Test Software",
+                "softwareRequirements": [
+                    "https://www.gtk.org",
+                    "https://github.com/anholt/libepoxy",
+                    "https://github.com/GNOME/libxml2",
+                ]
+            });
+    });
+
+    it('can be imported from multiple values', function() {
+        cy.get('#codemetaText').then((elem) =>
+            elem.text(JSON.stringify({
+                "@context": "https://doi.org/10.5063/schema/codemeta-2.0",
+                "@type": "SoftwareSourceCode",
+                "name": "My Test Software",
+                "softwareRequirements": [
+                    "https://www.gtk.org",
+                    "https://github.com/anholt/libepoxy",
+                    "https://github.com/GNOME/libxml2",
+                ]
+            }))
+        );
+        cy.get('#importCodemeta').click();
+
+        cy.get('#softwareRequirements').should('have.value', 'https://www.gtk.org\nhttps://github.com/anholt/libepoxy\nhttps://github.com/GNOME/libxml2');
+    });
+
+    it('can be exported to a single URI', function() {
+        cy.get('#name').type('My Test Software');
+
+        cy.get('#softwareRequirements').type('https://github.com/GNOME/libxml2');
+
+        cy.get('#generateCodemetaV2').click();
+
+        cy.get('#errorMessage').should('have.text', '');
+        cy.get('#codemetaText').then((elem) => JSON.parse(elem.text()))
+            .should('deep.equal', {
+                "@context": "https://doi.org/10.5063/schema/codemeta-2.0",
+                "type": "SoftwareSourceCode",
+                "name": "My Test Software",
+                "softwareRequirements": "https://github.com/GNOME/libxml2",
+            });
+    });
+
+    it('can be imported from a single URI', function() {
+        cy.get('#codemetaText').then((elem) =>
+            elem.text(JSON.stringify({
+                "@context": "https://doi.org/10.5063/schema/codemeta-2.0",
+                "@type": "SoftwareSourceCode",
+                "name": "My Test Software",
+                "softwareRequirements": "https://github.com/GNOME/libxml2",
+            }))
+        );
+        cy.get('#importCodemeta').click();
+
+        cy.get('#softwareRequirements').should('have.value', 'https://github.com/GNOME/libxml2');
+    });
+
+    it('cannot be exported as text', function() {
+        cy.get('#name').type('My Test Software');
+
+        cy.get('#softwareRequirements').type('libxml2');
+
+        cy.get('#generateCodemetaV2').click();
+
+        cy.get('#errorMessage').should('have.text', 'Invalid URL in field "softwareRequirements": "libxml2"');
+        cy.get('#codemetaText').then((elem) => JSON.parse(elem.text()))
+            .should('deep.equal', {
+                "@context": "https://doi.org/10.5063/schema/codemeta-2.0",
+                "type": "SoftwareSourceCode",
+                "name": "My Test Software",
+                "softwareRequirements": [],
+            });
+    });
+});
diff --git a/index.html b/index.html
@@ -204,7 +204,7 @@ <h1>CodeMeta generator v3.0</h1>
                 <textarea rows="4" cols="50"
                     name="softwareRequirements" id="softwareRequirements"
                     placeholder=
-"Python 3.4
+"https://www.python.org/downloads/release/python-3130/
 https://github.com/psf/requests"></textarea>
         </fieldset>
 
diff --git a/js/codemeta_generation.js b/js/codemeta_generation.js
@@ -98,12 +98,14 @@ const directCodemetaFields = [
     'referencePublication'
 ];
 
+// Tuples of codemeta property, character joining/splitting items in a textarea, and optionally
+// post-processing for deserialization and pre-processing for deserialization
 const splittedCodemetaFields = [
     ['keywords', ','],
     ['programmingLanguage', ','],
     ['runtimePlatform', ','],
     ['operatingSystem', ','],
-    ['softwareRequirements', '\n'],
+    ['softwareRequirements', '\n', generateUri, importUri],
     ['relatedLink', '\n'],
 ]
 
@@ -136,6 +138,17 @@ function generateBlankNodeId(customId) {
     return `_:${customId}`;
 }
 
+// Unambiguously converts a free-form text field that might be a URI or actual free text
+// in JSON-LD
+function generateUri(fieldName, text) {
+    if (isUrl(text)) {
+        return {"@id": text};
+    } else {
+        setError(`Invalid URL in field "${fieldName}": "${text}"`);
+        return undefined;
+    }
+}
+
 function generateShortOrg(fieldName) {
     var affiliation = getIfSet(fieldName);
     if (affiliation !== undefined) {
@@ -246,9 +259,15 @@ async function buildExpandedDocWithAllContexts() {
     splittedCodemetaFields.forEach(function (item, index) {
         const id = item[0];
         const separator = item[1];
-        const value = getIfSet('#' + id);
+        const serializer = item[2];
+        const deserializer = item[3];
+        let value = getIfSet('#' + id);
         if (value !== undefined) {
-            doc[id] = value.split(separator).map(trimSpaces);
+            value = value.split(separator).map(trimSpaces);
+            if (serializer !== undefined) {
+                value = value.map((item) => serializer(id, item));
+            }
+            doc[id] = value;
         }
     });
 
@@ -275,6 +294,8 @@ async function generateCodemeta(codemetaVersion = "2.0") {
     var inputForm = document.querySelector('#inputForm');
     var codemetaText, errorHTML;
 
+    setError();
+
     if (inputForm.checkValidity()) {
         // Expand document with all contexts before compacting
         // to allow generating property from any context
@@ -285,12 +306,11 @@ async function generateCodemeta(codemetaVersion = "2.0") {
     }
     else {
         codemetaText = "";
-        errorHTML = "invalid input (see error above)";
+        setError("invalid input (see error above)");
         inputForm.reportValidity();
     }
 
     document.querySelector('#codemetaText').innerText = codemetaText;
-    setError(errorHTML);
 
 
     // Run validator on the exported value, for extra validation.
@@ -307,6 +327,11 @@ async function generateCodemeta(codemetaVersion = "2.0") {
     }
 }
 
+// Imports a field that can be either URI or free-form text into a free-form text field
+function importUri(fieldName, doc) {
+    return doc;
+}
+
 // Imports a single field (name or @id) from an Organization.
 function importShortOrg(fieldName, doc) {
     if (doc !== undefined) {
@@ -433,10 +458,19 @@ async function importCodemeta() {
     splittedCodemetaFields.forEach(function (item, index) {
         const id = item[0];
         const separator = item[1];
+        const serializer = item[2];
+        const deserializer = item[3];
         let value = doc[id];
         if (value !== undefined) {
             if (Array.isArray(value)) {
+                if (deserializer !== undefined) {
+                    value = value.map((item) => deserializer(id, item));
+                }
                 value = value.join(separator);
+            } else {
+                if (deserializer !== undefined) {
+                    value = deserializer(id, value);
+                }
             }
             setIfDefined('#' + id, value);
         }
diff --git a/js/utils.js b/js/utils.js
@@ -28,7 +28,11 @@ function trimSpaces(s) {
 // From https://stackoverflow.com/a/43467144
 function isUrl(s) {
     try {
-        new URL(s);
+        const url = new URL(s);
+        if (url.origin == "null") {
+            // forbids "foo: bar" as a URL, for example
+            return false;
+        }
         return true;
     } catch (e) {
         return false;
diff --git a/js/validation/things.js b/js/validation/things.js
@@ -217,7 +217,7 @@ var softwareFieldValidators = {
     "processorRequirements": validateTexts,
     "releaseNotes": validateTextsOrUrls,
     "softwareHelp": validateCreativeWorks,
-    "softwareRequirements": noValidation, // TODO: validate SoftwareSourceCode
+    "softwareRequirements": validateUrls,
     "softwareVersion": validateText, // TODO?
     "storageRequirements": validateTextsOrUrls,
     "supportingData": noValidation, // TODO
