pkg-proxy/internal/server/resolve.go

package server

import (
	"fmt"
	"strings"
	"unicode"

	"github.com/git-pkgs/proxy/internal/database"
)

// maxPackagePathLen bounds the wildcard portion of package routes (name plus
// version and any suffix). npm caps names at 214 and Maven coordinates can be
// longer, so 512 leaves room without admitting pathological inputs.
const maxPackagePathLen = 512

// validatePackagePath rejects wildcard package paths that cannot be valid in
// any supported ecosystem. It is a coarse filter applied before database or
// enrichment lookups; ecosystem-specific name rules are layered on top.
func validatePackagePath(path string) error {
	if path == "" {
		return fmt.Errorf("package name required")
	}
	if len(path) > maxPackagePathLen {
		return fmt.Errorf("package path exceeds %d bytes", maxPackagePathLen)
	}
	for _, r := range path {
		if r == 0 {
			return fmt.Errorf("package path contains null byte")
		}
		if unicode.IsControl(r) {
			return fmt.Errorf("package path contains control character %#U", r)
		}
	}
	return nil
}

// resolvePackageName determines the package name from a wildcard path by
// checking the database. This handles namespaced packages like Composer's
// vendor/name format where the package name contains a slash.
//
// It tries the full path as a package name first. If not found, it splits
// off the last segment as a non-name suffix (version, action, etc.) and
// tries again, working backwards until a match is found or segments run out.
//
// Returns the package name and the remaining path segments after the name.
// If no package is found, returns empty name and the original segments.
func resolvePackageName(db *database.DB, ecosystem string, segments []string) (name string, rest []string) {
	// Try increasingly longer prefixes as the package name.
	// Start with the longest possible name (all segments) and work down.
	for i := len(segments); i >= 1; i-- {
		candidate := strings.Join(segments[:i], "/")
		pkg, err := db.GetPackageByEcosystemName(ecosystem, candidate)
		if err == nil && pkg != nil {
			return candidate, segments[i:]
		}
	}

	return "", segments
}

// splitWildcardPath splits a chi wildcard path value into segments,
// trimming any leading/trailing slashes.
func splitWildcardPath(path string) []string {
	path = strings.Trim(path, "/")
	if path == "" {
		return nil
	}
	return strings.Split(path, "/")
}
Fix Composer minified metadata expansion and namespaced package routing (#63) * Fix Composer minified metadata expansion and namespaced package routing Packagist serves metadata in a minified format where only the first version entry has all fields and subsequent entries inherit from the previous one. The proxy was passing this through without expanding it, which meant cooldown filtering could break the inheritance chain (losing fields like `name`) and `~dev` sentinel markers were silently dropped. The proxy now expands the minified format before filtering and rewriting, ensuring every version entry is self-contained. Web UI and API routes used single-segment chi URL params for package names, which broke for Composer's `vendor/name` format. `/package/composer/monolog/monolog` would match the version show route instead of the package show route. All `/package/` and related API routes now use wildcard paths with a `resolvePackageName` helper that tries increasingly longer path prefixes as package names via DB lookup, correctly handling namespaced packages across all endpoints (show, version, browse, compare, vulns). Fixes #61, fixes #62 * Add namespaced package routing tests for all affected ecosystems Verifies the wildcard routing handles slashes in package names for npm (@babel/core), Go modules (github.com/stretchr/testify), OCI images (library/nginx), Conda (conda-forge/numpy), and Conan (zlib/1.2.13@demo/stable). * Regenerate swagger docs after route refactor The swagger annotations for the old per-endpoint handlers were removed during the wildcard routing refactor. Regenerate to match current state. 2026-04-06 13:07:02 +01:00			`package server`

			`import (`
Validate package paths before database lookups (#109) The wildcard package routes (/packages/{ecosystem}/, /api/package/, /api/vulns/, /api/browse/, /api/compare/*) only checked for an empty path before passing user input to GetPackageByEcosystemName and the enrichment service. Add validatePackagePath as a coarse first-line filter: reject null bytes, other control characters, and paths over 512 bytes. Wired into all five entry handlers immediately after the chi wildcard is read. This is the generic layer; ecosystem-specific name format rules (npm scoped name shape, Maven coordinate structure, etc.) can be added on top per #75. Fixes #75 2026-05-03 09:14:18 +01:00			`"fmt"`
Fix Composer minified metadata expansion and namespaced package routing (#63) * Fix Composer minified metadata expansion and namespaced package routing Packagist serves metadata in a minified format where only the first version entry has all fields and subsequent entries inherit from the previous one. The proxy was passing this through without expanding it, which meant cooldown filtering could break the inheritance chain (losing fields like `name`) and `~dev` sentinel markers were silently dropped. The proxy now expands the minified format before filtering and rewriting, ensuring every version entry is self-contained. Web UI and API routes used single-segment chi URL params for package names, which broke for Composer's `vendor/name` format. `/package/composer/monolog/monolog` would match the version show route instead of the package show route. All `/package/` and related API routes now use wildcard paths with a `resolvePackageName` helper that tries increasingly longer path prefixes as package names via DB lookup, correctly handling namespaced packages across all endpoints (show, version, browse, compare, vulns). Fixes #61, fixes #62 * Add namespaced package routing tests for all affected ecosystems Verifies the wildcard routing handles slashes in package names for npm (@babel/core), Go modules (github.com/stretchr/testify), OCI images (library/nginx), Conda (conda-forge/numpy), and Conan (zlib/1.2.13@demo/stable). * Regenerate swagger docs after route refactor The swagger annotations for the old per-endpoint handlers were removed during the wildcard routing refactor. Regenerate to match current state. 2026-04-06 13:07:02 +01:00			`"strings"`
Validate package paths before database lookups (#109) The wildcard package routes (/packages/{ecosystem}/, /api/package/, /api/vulns/, /api/browse/, /api/compare/*) only checked for an empty path before passing user input to GetPackageByEcosystemName and the enrichment service. Add validatePackagePath as a coarse first-line filter: reject null bytes, other control characters, and paths over 512 bytes. Wired into all five entry handlers immediately after the chi wildcard is read. This is the generic layer; ecosystem-specific name format rules (npm scoped name shape, Maven coordinate structure, etc.) can be added on top per #75. Fixes #75 2026-05-03 09:14:18 +01:00			`"unicode"`
Fix Composer minified metadata expansion and namespaced package routing (#63) * Fix Composer minified metadata expansion and namespaced package routing Packagist serves metadata in a minified format where only the first version entry has all fields and subsequent entries inherit from the previous one. The proxy was passing this through without expanding it, which meant cooldown filtering could break the inheritance chain (losing fields like `name`) and `~dev` sentinel markers were silently dropped. The proxy now expands the minified format before filtering and rewriting, ensuring every version entry is self-contained. Web UI and API routes used single-segment chi URL params for package names, which broke for Composer's `vendor/name` format. `/package/composer/monolog/monolog` would match the version show route instead of the package show route. All `/package/` and related API routes now use wildcard paths with a `resolvePackageName` helper that tries increasingly longer path prefixes as package names via DB lookup, correctly handling namespaced packages across all endpoints (show, version, browse, compare, vulns). Fixes #61, fixes #62 * Add namespaced package routing tests for all affected ecosystems Verifies the wildcard routing handles slashes in package names for npm (@babel/core), Go modules (github.com/stretchr/testify), OCI images (library/nginx), Conda (conda-forge/numpy), and Conan (zlib/1.2.13@demo/stable). * Regenerate swagger docs after route refactor The swagger annotations for the old per-endpoint handlers were removed during the wildcard routing refactor. Regenerate to match current state. 2026-04-06 13:07:02 +01:00
			`"github.com/git-pkgs/proxy/internal/database"`
			`)`

Validate package paths before database lookups (#109) The wildcard package routes (/packages/{ecosystem}/, /api/package/, /api/vulns/, /api/browse/, /api/compare/*) only checked for an empty path before passing user input to GetPackageByEcosystemName and the enrichment service. Add validatePackagePath as a coarse first-line filter: reject null bytes, other control characters, and paths over 512 bytes. Wired into all five entry handlers immediately after the chi wildcard is read. This is the generic layer; ecosystem-specific name format rules (npm scoped name shape, Maven coordinate structure, etc.) can be added on top per #75. Fixes #75 2026-05-03 09:14:18 +01:00			`// maxPackagePathLen bounds the wildcard portion of package routes (name plus`
			`// version and any suffix). npm caps names at 214 and Maven coordinates can be`
			`// longer, so 512 leaves room without admitting pathological inputs.`
			`const maxPackagePathLen = 512`

			`// validatePackagePath rejects wildcard package paths that cannot be valid in`
			`// any supported ecosystem. It is a coarse filter applied before database or`
			`// enrichment lookups; ecosystem-specific name rules are layered on top.`
			`func validatePackagePath(path string) error {`
			`if path == "" {`
			`return fmt.Errorf("package name required")`
			`}`
			`if len(path) > maxPackagePathLen {`
			`return fmt.Errorf("package path exceeds %d bytes", maxPackagePathLen)`
			`}`
			`for _, r := range path {`
			`if r == 0 {`
			`return fmt.Errorf("package path contains null byte")`
			`}`
			`if unicode.IsControl(r) {`
			`return fmt.Errorf("package path contains control character %#U", r)`
			`}`
			`}`
			`return nil`
			`}`

Fix Composer minified metadata expansion and namespaced package routing (#63) * Fix Composer minified metadata expansion and namespaced package routing Packagist serves metadata in a minified format where only the first version entry has all fields and subsequent entries inherit from the previous one. The proxy was passing this through without expanding it, which meant cooldown filtering could break the inheritance chain (losing fields like `name`) and `~dev` sentinel markers were silently dropped. The proxy now expands the minified format before filtering and rewriting, ensuring every version entry is self-contained. Web UI and API routes used single-segment chi URL params for package names, which broke for Composer's `vendor/name` format. `/package/composer/monolog/monolog` would match the version show route instead of the package show route. All `/package/` and related API routes now use wildcard paths with a `resolvePackageName` helper that tries increasingly longer path prefixes as package names via DB lookup, correctly handling namespaced packages across all endpoints (show, version, browse, compare, vulns). Fixes #61, fixes #62 * Add namespaced package routing tests for all affected ecosystems Verifies the wildcard routing handles slashes in package names for npm (@babel/core), Go modules (github.com/stretchr/testify), OCI images (library/nginx), Conda (conda-forge/numpy), and Conan (zlib/1.2.13@demo/stable). * Regenerate swagger docs after route refactor The swagger annotations for the old per-endpoint handlers were removed during the wildcard routing refactor. Regenerate to match current state. 2026-04-06 13:07:02 +01:00			`// resolvePackageName determines the package name from a wildcard path by`
			`// checking the database. This handles namespaced packages like Composer's`
			`// vendor/name format where the package name contains a slash.`
			`//`
			`// It tries the full path as a package name first. If not found, it splits`
			`// off the last segment as a non-name suffix (version, action, etc.) and`
			`// tries again, working backwards until a match is found or segments run out.`
			`//`
			`// Returns the package name and the remaining path segments after the name.`
			`// If no package is found, returns empty name and the original segments.`
			`func resolvePackageName(db *database.DB, ecosystem string, segments []string) (name string, rest []string) {`
			`// Try increasingly longer prefixes as the package name.`
			`// Start with the longest possible name (all segments) and work down.`
			`for i := len(segments); i >= 1; i-- {`
			`candidate := strings.Join(segments[:i], "/")`
			`pkg, err := db.GetPackageByEcosystemName(ecosystem, candidate)`
			`if err == nil && pkg != nil {`
			`return candidate, segments[i:]`
			`}`
			`}`

			`return "", segments`
			`}`

			`// splitWildcardPath splits a chi wildcard path value into segments,`
			`// trimming any leading/trailing slashes.`
			`func splitWildcardPath(path string) []string {`
			`path = strings.Trim(path, "/")`
			`if path == "" {`
			`return nil`
			`}`
			`return strings.Split(path, "/")`
			`}`