(fullURL string)
| 94 | } |
| 95 | |
| 96 | func validateMCPBUrl(fullURL string) error { |
| 97 | parsedURL, err := url.Parse(fullURL) |
| 98 | if err != nil { |
| 99 | return fmt.Errorf("invalid MCPB package URL: %w", err) |
| 100 | } |
| 101 | |
| 102 | host := strings.ToLower(parsedURL.Host) |
| 103 | allowedHosts := []string{ |
| 104 | "github.com", |
| 105 | "www.github.com", |
| 106 | "gitlab.com", |
| 107 | "www.gitlab.com", |
| 108 | } |
| 109 | |
| 110 | isAllowed := false |
| 111 | for _, allowed := range allowedHosts { |
| 112 | if host == allowed { |
| 113 | isAllowed = true |
| 114 | break |
| 115 | } |
| 116 | } |
| 117 | |
| 118 | if !isAllowed { |
| 119 | return fmt.Errorf("MCPB packages must be hosted on allowlisted providers (GitHub or GitLab). Host '%s' is not allowed", host) |
| 120 | } |
| 121 | |
| 122 | // Validate URL path is a proper release URL with strict structure validation |
| 123 | path := parsedURL.Path |
| 124 | switch host { |
| 125 | case "github.com", "www.github.com": |
| 126 | // GitHub release URLs must match: /owner/repo/releases/download/tag/filename |
| 127 | if !isValidGitHubReleaseURL(path) { |
| 128 | return fmt.Errorf("GitHub MCPB packages must be release assets following the pattern '/owner/repo/releases/download/tag/filename'") |
| 129 | } |
| 130 | case "gitlab.com", "www.gitlab.com": |
| 131 | // GitLab release URLs must match specific patterns |
| 132 | if !isValidGitLabReleaseURL(path) { |
| 133 | return fmt.Errorf("GitLab MCPB packages must be release assets following patterns '/owner/repo/-/releases/tag/downloads/filename' or '/owner/repo/-/package_files/id/download'") |
| 134 | } |
| 135 | } |
| 136 | |
| 137 | return nil |
| 138 | } |
| 139 | |
| 140 | // isValidGitHubReleaseURL validates that a path follows the GitHub release asset pattern |
| 141 | // Pattern: /owner/repo/releases/download/tag/filename |
no test coverage detected
searching dependent graphs…