Validate --css argument. Thanks to Daniel Schmidt @ SRLabs for the report. (Closes: #396)

diffoscope/main.py

@@ -28,6 +28,8 @@ import textwrap
 import argparse
 import traceback
 
+from urllib.parse import urlparse
+
 from . import VERSION
 from .path import set_path
 from .tools import (
@@ -734,6 +736,14 @@ def sigterm_handler(signo, stack_frame):
     os._exit(2)
 
 
+def is_valid_url(val):
+    try:
+        result = urlparse(val)
+        return all([result.scheme, result.netloc])
+    except AttributeError:
+        return False
+
+
 def main(args=None):
     if args is None:
         args = sys.argv[1:]
@@ -759,6 +769,9 @@ def main(args=None):
             parser, post_parse = create_parser()
             parsed_args = parser.parse_args(args)
 
+        if parsed_args.css_url and not is_valid_url(parsed_args.css_url):
+            parser.error(f"{parsed_args.css_url!r} is not a valid CSS URL.")
+
         log_handler = ProgressManager().setup(parsed_args)
 
         with setup_logging(parsed_args.debug, log_handler) as _:

tests/test_main.py

@@ -191,3 +191,31 @@ def test_usage(capsys):
 
     assert out == ""
     assert "usage:" in err
+
+
+def test_valid_css(capsys):
+    ret, out, err = run(
+        capsys,
+        "--css",
+        "http://example.tld/file.css",
+        TEST_TAR1_PATH,
+        TEST_TAR1_PATH,
+    )
+
+    assert ret == 0
+    assert err == ""
+    assert out == ""
+
+
+def test_invalid_css(capsys):
+    ret, out, err = run(
+        capsys,
+        "--css",
+        '"><svg/onload=alert(43433)>',
+        TEST_TAR1_PATH,
+        TEST_TAR1_PATH,
+    )
+
+    assert ret == 2
+    assert "is not a valid CSS" in err
+    assert out == ""