pkg-proxy

mirror of https://github.com/git-pkgs/proxy.git synced 2026-06-02 08:38:17 -04:00

Andrew Nesbitt d6093376d7 Check for path traversal after URL decoding containsPathTraversal only checked literal ".." segments separated by forward slashes. Encoded forms like %2e%2e%2f or backslash separators would slip past if a caller ever passed a raw or Windows-style path. The check now URL-decodes the input and treats backslashes as separators before splitting. Go's stdlib already decodes r.URL.Path so the encoded case is mostly belt-and-braces for cache keys and other non-router inputs, but the storage layer guard from #106 makes this worth locking in with tests. Fixes #74		2026-05-03 08:54:47 +01:00
..
config	Merge pull request #102 from git-pkgs/enforce-max-size-eviction	2026-04-30 23:26:16 +01:00
cooldown	Fix all golangci-lint issues across the codebase (#32 )	2026-03-18 10:59:29 +00:00
database	Apply 'go fmt' as suggested in CONTRIBUTING.md.	2026-04-18 07:43:22 -04:00
enrichment	Use shared github.com/git-pkgs/enrichment module	2026-02-06 10:37:00 +00:00
handler	Check for path traversal after URL decoding	2026-05-03 08:54:47 +01:00
metrics	Apply 'go fmt' as suggested in CONTRIBUTING.md.	2026-04-18 07:43:22 -04:00
mirror	Apply 'go fmt' as suggested in CONTRIBUTING.md.	2026-04-18 07:43:22 -04:00
server	Add MaxBytesReader to mirror API HandleCreate (#105 )	2026-05-02 18:00:25 +01:00
storage	Reject path traversal in filesystem storage (#106 )	2026-05-02 18:00:28 +01:00