fix: safe urls for packages

String catenation used for url generators didn't encode package names which could lead to missing data in case if e.g. there is slash (/) in package name
2025-11-03 23:33:41 +00:00 · 2024-01-03 14:28:20 +02:00
parent 1a61da7ab9
commit 08086e8ba8
2 changed files with 6 additions and 4 deletions
--- a/src/ahriman/core/status/web_client.py
+++ b/src/ahriman/core/status/web_client.py
@ -94,7 +94,7 @@ class WebClient(Client, SyncAhrimanClient):
        Returns:
            str: full url for web service for logs
        """
-        return f"{self.address}/api/v1/packages/{package_base}/changes"
+        return f"{self.address}/api/v1/packages/{urlencode(package_base)}/changes"

    def _logs_url(self, package_base: str) -> str:
        """
@ -106,7 +106,7 @@ class WebClient(Client, SyncAhrimanClient):
        Returns:
            str: full url for web service for logs
        """
-        return f"{self.address}/api/v1/packages/{package_base}/logs"
+        return f"{self.address}/api/v1/packages/{urlencode(package_base)}/logs"

    def _package_url(self, package_base: str = "") -> str:
        """
@ -118,7 +118,7 @@ class WebClient(Client, SyncAhrimanClient):
        Returns:
            str: full url of web service for specific package base
        """
-        suffix = f"/{package_base}" if package_base else ""
+        suffix = f"/{urlencode(package_base)}" if package_base else ""
        return f"{self.address}/api/v1/packages{suffix}"

    def _status_url(self) -> str:
--- a/tests/ahriman/core/status/test_web_client.py
+++ b/tests/ahriman/core/status/test_web_client.py
@ -12,7 +12,6 @@ from ahriman.models.changes import Changes
 from ahriman.models.internal_status import InternalStatus
 from ahriman.models.log_record_id import LogRecordId
 from ahriman.models.package import Package
-from ahriman.models.worker import Worker


 def test_parse_address(configuration: Configuration) -> None:
@ -39,6 +38,7 @@ def test_changes_url(web_client: WebClient, package_ahriman: Package) -> None:
    """
    assert web_client._changes_url(package_ahriman.base).startswith(web_client.address)
    assert web_client._changes_url(package_ahriman.base).endswith(f"/api/v1/packages/{package_ahriman.base}/changes")
+    assert web_client._changes_url("some/package%name").endswith("/api/v1/packages/some%2Fpackage%25name/changes")


 def test_logs_url(web_client: WebClient, package_ahriman: Package) -> None:
@ -47,6 +47,7 @@ def test_logs_url(web_client: WebClient, package_ahriman: Package) -> None:
    """
    assert web_client._logs_url(package_ahriman.base).startswith(web_client.address)
    assert web_client._logs_url(package_ahriman.base).endswith(f"/api/v1/packages/{package_ahriman.base}/logs")
+    assert web_client._logs_url("some/package%name").endswith("/api/v1/packages/some%2Fpackage%25name/logs")


 def test_package_url(web_client: WebClient, package_ahriman: Package) -> None:
@ -58,6 +59,7 @@ def test_package_url(web_client: WebClient, package_ahriman: Package) -> None:

    assert web_client._package_url(package_ahriman.base).startswith(web_client.address)
    assert web_client._package_url(package_ahriman.base).endswith(f"/api/v1/packages/{package_ahriman.base}")
+    assert web_client._package_url("some/package%name").endswith("/api/v1/packages/some%2Fpackage%25name")


 def test_status_url(web_client: WebClient) -> None: