[Java.Interop.Tools.Maven] Validate Artifact coordinates#1479
Open
jonathanpeppers wants to merge 3 commits into
Open
[Java.Interop.Tools.Maven] Validate Artifact coordinates#1479jonathanpeppers wants to merge 3 commits into
jonathanpeppers wants to merge 3 commits into
Conversation
Context: https://github.com/dotnet/android (the `<AndroidMavenLibrary>` MSBuild item relies on `Artifact`/`Artifact.TryParse` to validate Maven coordinates supplied by users, but today the constructor blindly assigns its fields and `TryParse` only checks for three colon-separated parts. Empty strings, whitespace, and characters that are illegal per the Maven coordinate spec all slip through. Add structural validation to `Artifact`: * `groupId` and `artifactId` must match `[A-Za-z0-9_\-.]+` per https://maven.apache.org/pom.html#Maven_Coordinates. * `version` rejects whitespace, `:`, and path separators (`/`, `\`). Maven versions are otherwise permissive, so no further parsing. * The constructor throws `ArgumentNullException` / `ArgumentException` with the offending parameter and value. * `TryParse` returns `false` for any invalid input (and requires all three parts to be non-empty) without throwing. * `Parse` continues to throw `ArgumentException` with the existing message format. The constructor still allows an empty `version` so that existing internal callers - `Dependency.ToArtifact ()` and `Project.TryGetParentPomArtifact ()` - can keep producing partial coordinates when a POM omits `<version>` and inherits it from a parent. `TryParse`/`Parse` (the user-input path) still require a non-empty version. Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
There was a problem hiding this comment.
Pull request overview
This PR strengthens Java.Interop.Tools.Maven.Models.Artifact so it properly validates Maven coordinates (groupId/artifactId/version) when constructed or parsed, preventing malformed or potentially unsafe user-supplied coordinates from slipping through (notably for downstream consumers like dotnet/android’s <AndroidMavenLibrary>).
Changes:
- Added validation to
Artifactconstructor forgroupId/artifactIdcharacter set and forversion(rejecting whitespace,:, and path separators), while still allowing an empty constructorversionfor internal “inherited version” scenarios. - Updated
Artifact.TryParseto reject invalid inputs (includingnulland empty parts) without throwing. - Added NUnit tests covering valid/invalid coordinates and the constructor’s empty-version allowance.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| tests/Java.Interop.Tools.Maven-Tests/ArtifactTests.cs | Adds comprehensive tests for Artifact ctor/TryParse/Parse validation behavior. |
| src/Java.Interop.Tools.Maven/Models/Artifact.cs | Implements stricter structural validation for Maven coordinates and updates parsing behavior. |
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
jonathanpeppers
added
the
ready-to-review
Co-authored-by: Copilot <223556219+Copilot@users.noreply.github.com>
simonrozsival
approved these changes
Jun 23, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Context: dotnet/android's
<AndroidMavenLibrary>MSBuild item relies onArtifact/Artifact.TryParseto validate Maven coordinates supplied by users, but today the constructor blindly assigns its fields andTryParseonly checks for three colon-separated parts. Empty strings, whitespace, path traversal sequences (../), and characters that are illegal per the Maven coordinate spec all slip through.This PR adds structural validation to
Artifact:groupIdandartifactIdmust match[A-Za-z0-9_\-.]+per the Maven Coordinates spec.versionrejects whitespace,:, and path separators (/,\). Maven versions are otherwise permissive, so no further parsing is attempted.ArgumentNullException/ArgumentExceptionwith the offending parameter and value.TryParsereturnsfalsefor any invalid input (and requires all three parts to be non-empty) without throwing.Parsecontinues to throwArgumentExceptionwith the existing message format.The constructor still allows an empty
versionso that existing internal callers —Dependency.ToArtifact()andProject.TryGetParentPomArtifact()— can keep producing partial coordinates when a POM omits<version>and inherits it from a parent POM. The user-input paths (TryParse/Parse) still require a non-empty version.Tests
Added
tests/Java.Interop.Tools.Maven-Tests/ArtifactTests.cscovering:TryParse/Parse, includingGroupId/Id/Version/ArtifactString/VersionedArtifactString.TryParse(returnsfalse, out paramnull): null, empty, whitespace-only, wrong number of:-separated parts, illegal chars (space,:,/,@,!, etc.), and path-traversal sequences like..//..\in any of the three positions including the version.All 92 tests in
Java.Interop.Tools.Maven-Testspass.Benefit to downstream
<AndroidMavenLibrary>(whoseMavenExtensions.TryParseArtifactWithVersioncurrently only splits on:) gets stricter validation for free as soon as it picks up this version ofJava.Interop.Tools.Maven.