pkg-proxy

mirror of https://github.com/git-pkgs/proxy.git synced 2026-06-02 08:38:17 -04:00

Andrew Nesbitt d6093376d7 Check for path traversal after URL decoding containsPathTraversal only checked literal ".." segments separated by forward slashes. Encoded forms like %2e%2e%2f or backslash separators would slip past if a caller ever passed a raw or Windows-style path. The check now URL-decodes the input and treats backslashes as separators before splitting. Go's stdlib already decodes r.URL.Path so the encoded case is mostly belt-and-braces for cache keys and other non-router inputs, but the storage layer guard from #106 makes this worth locking in with tests. Fixes #74		2026-05-03 08:54:47 +01:00
..
cargo.go	Add mirror command and API for selective package mirroring	2026-04-13 09:01:04 +01:00
cargo_test.go	Add mirror command and API for selective package mirroring	2026-04-13 09:01:04 +01:00
composer.go	Apply 'go fmt' as suggested in CONTRIBUTING.md.	2026-04-18 07:43:22 -04:00
composer_test.go	Add failing tests for composer dist URL and shared reference bugs	2026-04-06 17:07:20 +01:00
conan.go	Add mirror command and API for selective package mirroring	2026-04-13 09:01:04 +01:00
conan_test.go	Fix all golangci-lint issues across the codebase (#32 )	2026-03-18 10:59:29 +00:00
conda.go	Add mirror command and API for selective package mirroring	2026-04-13 09:01:04 +01:00
conda_test.go	Apply 'go fmt' as suggested in CONTRIBUTING.md.	2026-04-18 07:43:22 -04:00
container.go	Apply 'go fmt' as suggested in CONTRIBUTING.md.	2026-04-18 07:43:22 -04:00
container_test.go	Apply 'go fmt' as suggested in CONTRIBUTING.md.	2026-04-18 07:43:22 -04:00
cran.go	Add mirror command and API for selective package mirroring	2026-04-13 09:01:04 +01:00
cran_test.go	Hello world	2026-01-20 22:00:31 +00:00
debian.go	Fix review issues in mirror feature	2026-04-13 09:01:04 +01:00
debian_test.go	Fix all golangci-lint issues across the codebase (#32 )	2026-03-18 10:59:29 +00:00
download_test.go	Add mirror command and API for selective package mirroring	2026-04-13 09:01:04 +01:00
gem.go	Add mirror command and API for selective package mirroring	2026-04-13 09:01:04 +01:00
gem_test.go	Add cooldown support for RubyGems	2026-04-06 13:16:26 +01:00
go.go	Add mirror command and API for selective package mirroring	2026-04-13 09:01:04 +01:00
go_test.go	Hello world	2026-01-20 22:00:31 +00:00
handler.go	Check for path traversal after URL decoding	2026-05-03 08:54:47 +01:00
handler_test.go	Add storage.direct_serve_base_url to override presigned URL host	2026-04-27 12:14:37 +01:00
hex.go	Add mirror command and API for selective package mirroring	2026-04-13 09:01:04 +01:00
hex_test.go	Add cooldown support for Hex	2026-04-06 13:18:57 +01:00
maven.go	Add mirror command and API for selective package mirroring	2026-04-13 09:01:04 +01:00
maven_test.go	Hello world	2026-01-20 22:00:31 +00:00
npm.go	Add mirror command and API for selective package mirroring	2026-04-13 09:01:04 +01:00
npm_test.go	Apply 'go fmt' as suggested in CONTRIBUTING.md.	2026-04-18 07:43:22 -04:00
nuget.go	Apply 'go fmt' as suggested in CONTRIBUTING.md.	2026-04-18 07:43:22 -04:00
nuget_test.go	Apply 'go fmt' as suggested in CONTRIBUTING.md.	2026-04-18 07:43:22 -04:00
path_traversal_test.go	Check for path traversal after URL decoding	2026-05-03 08:54:47 +01:00
pub.go	Fix metadata caching, 404 propagation, mirror progress, and registry stubs	2026-04-13 09:01:05 +01:00
pub_test.go	Add version cooldown to filter recently published packages	2026-03-04 19:00:31 +00:00
pypi.go	Apply 'go fmt' as suggested in CONTRIBUTING.md.	2026-04-18 07:43:22 -04:00
pypi_test.go	Add upstream URL tests for all ecosystem download handlers (#51 )	2026-04-01 15:22:52 +01:00
read_metadata_test.go	Fix silent truncation of large npm metadata responses	2026-04-08 16:02:30 +01:00
rpm.go	Add mirror command and API for selective package mirroring	2026-04-13 09:01:04 +01:00
rpm_test.go	Fix all golangci-lint issues across the codebase (#32 )	2026-03-18 10:59:29 +00:00