pkg-proxy

mirror of https://github.com/git-pkgs/proxy.git synced 2026-06-02 08:38:17 -04:00

Andrew Nesbitt 37cc7abfc7 Validate package paths before database lookups The wildcard package routes (/packages/{ecosystem}/, /api/package/, /api/vulns/, /api/browse/, /api/compare/*) only checked for an empty path before passing user input to GetPackageByEcosystemName and the enrichment service. Add validatePackagePath as a coarse first-line filter: reject null bytes, other control characters, and paths over 512 bytes. Wired into all five entry handlers immediately after the chi wildcard is read. This is the generic layer; ecosystem-specific name format rules (npm scoped name shape, Maven coordinate structure, etc.) can be added on top per #75. Fixes #75		2026-05-03 09:02:14 +01:00
..
config	Merge pull request #102 from git-pkgs/enforce-max-size-eviction	2026-04-30 23:26:16 +01:00
cooldown	Fix all golangci-lint issues across the codebase (#32 )	2026-03-18 10:59:29 +00:00
database	Apply 'go fmt' as suggested in CONTRIBUTING.md.	2026-04-18 07:43:22 -04:00
enrichment	Use shared github.com/git-pkgs/enrichment module	2026-02-06 10:37:00 +00:00
handler	Add storage.direct_serve_base_url to override presigned URL host	2026-04-27 12:14:37 +01:00
metrics	Apply 'go fmt' as suggested in CONTRIBUTING.md.	2026-04-18 07:43:22 -04:00
mirror	Apply 'go fmt' as suggested in CONTRIBUTING.md.	2026-04-18 07:43:22 -04:00
server	Validate package paths before database lookups	2026-05-03 09:02:14 +01:00
storage	Reject path traversal in filesystem storage (#106 )	2026-05-02 18:00:28 +01:00