Origins from Packagist/Maven/... are not checked to be URLs

A package on Packagist has git@github.com/NickUseGitHub/NickClass as its git repo, which Dulwich interprets as a filesystem path.

This means we are not validating URLs, and this could potentially be used to read arbitrary files from the worker's filesystem

Sentry issue: SWH-LOADER-GIT-1AD

Possible solutions:

1. make listers like Packagist and Maven that accept arbitrary URLs check they are indeed URLs
2. make all loaders make that check (but keep the CLI working with local paths)
3. both

---

Migrated from T4670 (view on Phabricator)

added Core Loader Lister priority:High labels

changed the description

Sounds like something that we could check in swh.scheduler too, either on input (reject ListedOrigins with a visit_type that expects a URL and a url that's not right), or on output (don't schedule visits for ListedOrigins with funted URLs)

(we should probably do all of these!)

changed milestone to %Extend archive coverage [Roadmap - Collect]

marked this issue as related to #5001 (closed)

The lister is doing this pre-check now prior to record the listed origins in the scheduler. So closing it.

closed

made the issue visible to everyone

Related MRs ignored by the Phabricator->Gitlab migration:

• swh/devel/swh-lister!453 (closed)
• swh/devel/swh-lister!452 (closed)