fix: validate "uri" format for absolute URIs with a fragment (#131)#269
Conversation
f957547 to
3506a4d
Compare
|
Thanks for posting this. i’ll review over the weekend. |
There was a problem hiding this comment.
I've updated the linter config so goconst won't annoy us any longer. Please rebase.
I am okay with the change, although this story about URIs is far from over (now we let pass invalid URIs that have illegal fragments, before we did not accept empty fragments). I am accepting this change as a temporary solution that closes a very narrow issue, not as a silver bullet fix (so this is "patch almost wright"...
Thanks for your contribution. This helps us move forward.
Cheers
…api#131) Signed-off-by: patchwright <patchwright@users.noreply.github.com>
3506a4d to
3cb943b
Compare
Codecov Report✅ All modified and coverable lines are covered by tests. Additional details and impacted files@@ Coverage Diff @@
## master #269 +/- ##
==========================================
+ Coverage 86.50% 86.51% +0.01%
==========================================
Files 18 18
Lines 2467 2469 +2
==========================================
+ Hits 2134 2136 +2
Misses 230 230
Partials 103 103 ☔ View full report in Codecov by Harness. |
Distilled from deepdiff#602: a function written assuming datetime.datetime that calls .replace(second=0, microsecond=0) unconditionally crashes on a bare datetime.date, because datetime is a subclass of date — so any isinstance(x, date) dispatch admits datetimes but fails to keep bare dates out, and a replace() written for datetime raises TypeError on a date. Ships that check two ways, mirroring WP001: - find_date_kwargs(): dependency-free runtime checker that probes fn with a bare date and time, recording only TypeError/AttributeError that cite a time-only field (hour/minute/second/microsecond/nanosecond/tzinfo/fold) — the signature of this class, not an unrelated crash. Verified to bite a faithful reproduction of the deepdiff#602 truncate and stay silent on a hasattr-guarded fix. - DATE_KWARGS / --template date-time-kwargs: renders a paste-ready pytest module (auto-listed by the CLI alongside WP001). Violation is generalized (mantissa/unit now Optional, branched __str__) so a non-rollover property can carry an output+reason; the rollover path and its tests are unchanged. Also documents uri-fragment-as-userinfo (go-openapi/strfmt#269, merged) in NON_GENERALIZED: probed against urllib.parse, rfc3986, yarl, furl, hyperlink (2026-06-24) — every Python URI parser is RFC-3986-compliant and treats '#' as the fragment delimiter, so the class is Go-specific and ships no Python surface. No gap in WP numbering: date-time-kwargs is WP002. 42 tests green (was 31), ruff clean, twine check passes. v0.3.0. Co-Authored-By: claude-flow <ruv@ruv.net>
Problem
Fixes #131. The
"uri"format rejects absolute URIs that carry a fragment with an empty path, e.g.https://portal.azure.com#@930d042f-..., reporting them asmust be of type uri. These are valid per RFC 3986. Confirmed on master HEAD 00af19e.Root cause
isRequestURIvalidates withurl.ParseRequestURI, which is documented to assume the input carries no#fragment(RFC 3986 §3.5). With no path separating host and fragment,host#@fragis parsed as userinfo (host#before the@) and rejected asnet/url: invalid userinfo.Fix
Strip the fragment before calling
url.ParseRequestURI, matching howurl.Parsehandles RFC 3986. This preserves the existing absolute-URI check (scheme still required, relative paths still rejected) and changes only the fragment case. 8 lines indefault.go; no API changes.How to test
On unpatched master the new sample fails:
Backward compatibility
No breaking changes. The fix only newly accepts URIs that are valid per RFC 3986; inputs outside the fragment-with-empty-path case keep their previous accept/reject result.
Assisted-by: Claude (code generation, reviewed and tested locally)