FilterLists: only import entries with a valid version constraint

glaubinix · glaubinix · commit beec6059fe4f · 2026-05-21T16:30:04.000+01:00
diff --git a/src/FilterList/List/AikidoMalwareFilterList.php b/src/FilterList/List/AikidoMalwareFilterList.php
@@ -15,6 +15,7 @@
 use App\FilterList\FilterLists;
 use App\FilterList\FilterSources;
 use App\FilterList\RemoteFilterListEntry;
+use Composer\Semver\VersionParser;
 use Psr\Log\LoggerInterface;
 use Symfony\Contracts\HttpClient\HttpClientInterface;
 
@@ -44,6 +45,7 @@ public function getListEntries(): ?array
             return null;
         }
 
+        $versionParser = new VersionParser();
         $entries = [];
         foreach ($data as $entry) {
             $packageName = strtolower($entry['package_name']);
@@ -53,6 +55,17 @@ public function getListEntries(): ?array
                 continue;
             }
 
+            try {
+                $versionParser->parseConstraints($entry['version']);
+            } catch (\UnexpectedValueException $e) {
+                $this->logger->warning('Skipping Aikido malware entry with invalid version constraint', [
+                    'package' => $packageName,
+                    'version' => $entry['version'],
+                    'exception' => $e,
+                ]);
+                continue;
+            }
+
             $entries[] = new RemoteFilterListEntry(
                 $packageName,
                 $entry['version'],
diff --git a/tests/FilterList/List/AikidoMalwareFilterListTest.php b/tests/FilterList/List/AikidoMalwareFilterListTest.php
@@ -119,6 +119,22 @@ public function testGetListEntriesPreservesOriginalVersion(): void
         $this->assertSame('v1.2.3-beta', $result[0]->version);
     }
 
+    public function testGetListEntriesSkipsInvalidVersionConstraints(): void
+    {
+        $feed = new AikidoMalwareFilterList($this->createHttpClient(json_encode([
+            ['package_name' => 'vendor/good', 'version' => '1.0.0', 'reason' => 'malware'],
+            ['package_name' => 'vendor/bad', 'version' => 'not-a-valid-constraint!@#', 'reason' => 'malware'],
+            ['package_name' => 'vendor/also-good', 'version' => '>=2.0,<3.0', 'reason' => 'malware'],
+        ], \JSON_THROW_ON_ERROR)), new NullLogger());
+
+        $result = $feed->getListEntries();
+
+        $this->assertNotNull($result);
+        $this->assertCount(2, $result);
+        $this->assertSame('vendor/good', $result[0]->packageName);
+        $this->assertSame('vendor/also-good', $result[1]->packageName);
+    }
+
     private function createHttpClient(string $responseBody): HttpClientInterface
     {
         return new MockHttpClient([new MockResponse($responseBody)]);
