pkg-proxy/internal/handler/path_traversal_test.go

package handler

import "testing"

func TestContainsPathTraversal(t *testing.T) {
	tests := []struct {
		path string
		want bool
	}{
		{"pool/main/n/nginx/nginx_1.0.deb", false},
		{"releases/39/Packages/test.rpm", false},
		{"../etc/passwd", true},
		{"pool/../../etc/passwd", true},
		{"pool/main/../../../etc/shadow", true},
		{"pool/..hidden/file", false}, // ".." as a segment, not "..hidden"
		{"", false},
		{"%2e%2e/etc/passwd", true},
		{"%2e%2e%2fetc%2fpasswd", true},
		{"pool/%2e%2e/%2e%2e/etc/shadow", true},
		{"%2E%2E%2Fetc", true},
		{`..\\etc\\passwd`, true},
		{`pool\\..\\..\\etc`, true},
		{"%2e%2e%5cetc%5cpasswd", true},
		{"pool/%2e%2ehidden/file", false},
		{"pool/%zz/bad-encoding", false},
	}

	for _, tt := range tests {
		t.Run(tt.path, func(t *testing.T) {
			got := containsPathTraversal(tt.path)
			if got != tt.want {
				t.Errorf("containsPathTraversal(%q) = %v, want %v", tt.path, got, tt.want)
			}
		})
	}
}
Reject path traversal in debian and rpm handlers The debian and rpm handlers take the request path and pass it directly to the upstream URL without checking for ".." segments. This could let a client craft a request that reaches unintended upstream paths. Add a containsPathTraversal check at the entry point of both handlers and return 400 for any path containing ".." segments. 2026-03-12 12:05:52 +00:00			`package handler`

			`import "testing"`

			`func TestContainsPathTraversal(t *testing.T) {`
			`tests := []struct {`
			`path string`
			`want bool`
			`}{`
			`{"pool/main/n/nginx/nginx_1.0.deb", false},`
			`{"releases/39/Packages/test.rpm", false},`
			`{"../etc/passwd", true},`
			`{"pool/../../etc/passwd", true},`
			`{"pool/main/../../../etc/shadow", true},`
			`{"pool/..hidden/file", false}, // ".." as a segment, not "..hidden"`
			`{"", false},`
Check for path traversal after URL decoding (#108) containsPathTraversal only checked literal ".." segments separated by forward slashes. Encoded forms like %2e%2e%2f or backslash separators would slip past if a caller ever passed a raw or Windows-style path. The check now URL-decodes the input and treats backslashes as separators before splitting. Go's stdlib already decodes r.URL.Path so the encoded case is mostly belt-and-braces for cache keys and other non-router inputs, but the storage layer guard from #106 makes this worth locking in with tests. Fixes #74 2026-05-03 09:07:16 +01:00			`{"%2e%2e/etc/passwd", true},`
			`{"%2e%2e%2fetc%2fpasswd", true},`
			`{"pool/%2e%2e/%2e%2e/etc/shadow", true},`
			`{"%2E%2E%2Fetc", true},`
			{`..\\etc\\passwd`, true},
			{`pool\\..\\..\\etc`, true},
			`{"%2e%2e%5cetc%5cpasswd", true},`
			`{"pool/%2e%2ehidden/file", false},`
			`{"pool/%zz/bad-encoding", false},`
Reject path traversal in debian and rpm handlers The debian and rpm handlers take the request path and pass it directly to the upstream URL without checking for ".." segments. This could let a client craft a request that reaches unintended upstream paths. Add a containsPathTraversal check at the entry point of both handlers and return 400 for any path containing ".." segments. 2026-03-12 12:05:52 +00:00			`}`

			`for _, tt := range tests {`
			`t.Run(tt.path, func(t *testing.T) {`
			`got := containsPathTraversal(tt.path)`
			`if got != tt.want {`
			`t.Errorf("containsPathTraversal(%q) = %v, want %v", tt.path, got, tt.want)`
			`}`
			`})`
			`}`
			`}`