pkg-proxy/internal/handler/path_traversal_test.go

package handler

import "testing"

func TestContainsPathTraversal(t *testing.T) {
	tests := []struct {
		path string
		want bool
	}{
		{"pool/main/n/nginx/nginx_1.0.deb", false},
		{"releases/39/Packages/test.rpm", false},
		{"../etc/passwd", true},
		{"pool/../../etc/passwd", true},
		{"pool/main/../../../etc/shadow", true},
		{"pool/..hidden/file", false}, // ".." as a segment, not "..hidden"
		{"", false},
	}

	for _, tt := range tests {
		t.Run(tt.path, func(t *testing.T) {
			got := containsPathTraversal(tt.path)
			if got != tt.want {
				t.Errorf("containsPathTraversal(%q) = %v, want %v", tt.path, got, tt.want)
			}
		})
	}
}
Reject path traversal in debian and rpm handlers The debian and rpm handlers take the request path and pass it directly to the upstream URL without checking for ".." segments. This could let a client craft a request that reaches unintended upstream paths. Add a containsPathTraversal check at the entry point of both handlers and return 400 for any path containing ".." segments. 2026-03-12 12:05:52 +00:00			`package handler`

			`import "testing"`

			`func TestContainsPathTraversal(t *testing.T) {`
			`tests := []struct {`
			`path string`
			`want bool`
			`}{`
			`{"pool/main/n/nginx/nginx_1.0.deb", false},`
			`{"releases/39/Packages/test.rpm", false},`
			`{"../etc/passwd", true},`
			`{"pool/../../etc/passwd", true},`
			`{"pool/main/../../../etc/shadow", true},`
			`{"pool/..hidden/file", false}, // ".." as a segment, not "..hidden"`
			`{"", false},`
			`}`

			`for _, tt := range tests {`
			`t.Run(tt.path, func(t *testing.T) {`
			`got := containsPathTraversal(tt.path)`
			`if got != tt.want {`
			`t.Errorf("containsPathTraversal(%q) = %v, want %v", tt.path, got, tt.want)`
			`}`
			`})`
			`}`
			`}`