Escape special characters in directory path regex (#1542)

keshav-space · web-flow · commit fa9ac3f5823a · 2025-01-16T07:28:34.000+01:00
Signed-off-by: Keshav Priyadarshi &lt;git@keshav.space&gt;
diff --git a/scanpipe/pipes/d2d.py b/scanpipe/pipes/d2d.py
@@ -20,6 +20,7 @@
 # ScanCode.io is a free software code scanning tool from nexB Inc. and others.
 # Visit https://github.com/aboutcode-org/scancode.io for support and download.
 
+import re
 from collections import Counter
 from collections import defaultdict
 from contextlib import suppress
@@ -1623,21 +1624,20 @@ def match_purldb_resources_post_process(project, logger=None):
     map_count = 0
 
     for directory in progress.iter(resource_iterator):
-        map_count += _match_purldb_resources_post_process(
-            directory, to_extract_directories, to_resources
-        )
+        map_count += _match_purldb_resources_post_process(directory, to_resources)
 
     logger(f"{map_count:,d} resource processed")
 
 
-def _match_purldb_resources_post_process(
-    directory_path, to_extract_directories, to_resources
-):
+def _match_purldb_resources_post_process(directory, to_resources):
+    # Escape special character in directory path
+    escaped_directory_path = re.escape(directory.path)
+
     # Exclude the content of nested archive.
     interesting_codebase_resources = (
-        to_resources.filter(path__startswith=directory_path)
+        to_resources.filter(path__startswith=directory.path)
         .filter(status=flag.MATCHED_TO_PURLDB_RESOURCE)
-        .exclude(path__regex=rf"^{directory_path}.*-extract\/.*$")
+        .exclude(path__regex=rf"^{escaped_directory_path}.*-extract\/.*$")
     )
 
     if not interesting_codebase_resources:
diff --git a/scanpipe/tests/pipes/test_d2d.py b/scanpipe/tests/pipes/test_d2d.py
@@ -28,6 +28,7 @@
 from unittest import mock
 from unittest import skipIf
 
+from django.db.utils import DataError
 from django.test import TestCase
 
 from scanpipe import pipes
@@ -1594,3 +1595,36 @@ def test_scanpipe_pipes_d2d_match_purldb_resource_no_package_data(
 
         package_count = self.project1.discoveredpackages.count()
         self.assertEqual(0, package_count)
+
+    def test_scanpipe_pipes_d2d_match_purldb_resources_post_process_with_special_char(
+        self,
+    ):
+        to_map = self.data / "d2d-javascript" / "to" / "main.js.map"
+
+        to_dir = self.project1.codebase_path / "to/lib/Matplot++/nodesoup.lib-extract"
+        to_dir.mkdir(parents=True)
+        copy_inputs([to_map], to_dir)
+
+        pipes.collect_and_create_codebase_resources(self.project1)
+
+        to_resources = self.project1.codebaseresources.filter(
+            path__startswith=("to/lib/Matplot++/nodesoup.lib-extract/main.js")
+        )
+
+        dummy_package_data1 = package_data1.copy()
+        dummy_package_data1["uuid"] = uuid.uuid4()
+        d2d.create_package_from_purldb_data(
+            self.project1,
+            to_resources,
+            dummy_package_data1,
+            flag.MATCHED_TO_PURLDB_RESOURCE,
+        )
+
+        buffer = io.StringIO()
+        try:
+            d2d.match_purldb_resources_post_process(
+                self.project1,
+                logger=buffer.write,
+            )
+        except DataError:
+            self.fail("DataError was raised, but it should not occur.")
