From 76f014aa96ed6a7f8a2fc19ac2745cfe99f0bb21 Mon Sep 17 00:00:00 2001
From: Jordan Sissel <jls@semicomplete.com>
Date: Sat, 3 Dec 2022 17:09:46 -0800
Subject: [PATCH] Reject invalid Debian version values.

A hopefully-actionable error message is provided when an invalid version
is given when making a Debian package.

To aid readability, rewrote the relationship pattern as a multiline regex. Added separate pattern for version field.

Test coverage added for #1969's "v" prefix removal.

For #1847
---
 lib/fpm/package/deb.rb       | 22 ++++++++++++++++++----
 spec/fpm/package/deb_spec.rb |  6 ++++++
 2 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/lib/fpm/package/deb.rb b/lib/fpm/package/deb.rb
index 8f0c6078ae..f9ab72358e 100644
--- a/lib/fpm/package/deb.rb
+++ b/lib/fpm/package/deb.rb
@@ -43,7 +43,15 @@ class FPM::Package::Deb < FPM::Package
   # epoch - This is a single (generally small) unsigned integer
   # upstream_version - must contain only alphanumerics 6 and the characters . + - ~
   # debian_revision - only alphanumerics and the characters + . ~
-  RELATIONSHIP_FIELD_PATTERN = /^(?<name>[A-z0-9][A-z0-9_.-]+)(?: *\((?<relation>[<>=]+) *(?<version>(?:[0-9]+:)?[0-9A-Za-z+~.-]+(?:-[0-9A-Za-z+~.]+)?)\))?$/
+  VERSION_FIELD_PATTERN = /
+    (?:(?:[0-9]+):)?        # The epoch, an unsigned int
+    (?:[A-Za-z0-9+~.-]+)     # upstream version, probably should not contain dashes?
+    (?:-[A-Za-z0-9+~.]+)?  # debian_revision
+  /x # Version field pattern
+  RELATIONSHIP_FIELD_PATTERN = /^
+    (?<name>[A-z0-9][A-z0-9_.-]+)
+    (?:\s*\((?<relation>[<>=]+)\s(?<version>#{VERSION_FIELD_PATTERN})\))?
+  $/x # Relationship field pattern
 
   option "--ignore-iteration-in-dependencies", :flag,
             "For '=' (equal) dependencies, allow iterations on the specified " \
@@ -293,9 +301,15 @@ def prefix
   end # def prefix
 
   def version
-    if @version.kind_of?(String) and @version.start_with?("v")
-      logger.warn("Drop leading v from package version '#{@version}'")
-      @version = @version.gsub(/^v/, "")
+    if @version.kind_of?(String)
+      if @version.start_with?("v") && @version.gsub(/^v/, "") =~ /^#{VERSION_FIELD_PATTERN}$/
+        logger.warn("Debian 'Version' field needs to start with a digit. I was provided '#{@version}' which seems like it just has a 'v' prefix to an otherwise-valid Debian version, I'll remove the 'v' for you.")
+        @version = @version.gsub(/^v/, "")
+      end
+
+      if @version !~ /^#{VERSION_FIELD_PATTERN}$/
+        raise FPM::InvalidPackageConfiguration, "The version looks invalid for Debian packages. Debian version field must contain only alphanumerics and . (period), + (plus), - (hyphen) or ~ (tilde). I have '#{@version}' which which isn't valid."
+      end
     end
 
     return @version
diff --git a/spec/fpm/package/deb_spec.rb b/spec/fpm/package/deb_spec.rb
index 8970109c0a..d98e24fb99 100644
--- a/spec/fpm/package/deb_spec.rb
+++ b/spec/fpm/package/deb_spec.rb
@@ -126,6 +126,12 @@
     end
   end
 
+  context "when validating the version field" do
+    pending "it should reject invalid versions"
+    pending "it should convert v-prefixed-but-otherwise-valid versions"
+    pending "it should accept valid versions"
+  end
+
   describe "#output" do
     let(:original) { FPM::Package::Deb.new }
     let(:input) { FPM::Package::Deb.new }