From 6eeef39fe5f7919c5af649f7c9799aef78b46e28 Mon Sep 17 00:00:00 2001
From: Evgenii Alekseev <i@arcanis.me>
Date: Wed, 3 Jan 2024 14:28:20 +0200
Subject: [PATCH] fix: safe urls for packages

String catenation used for url generators didn't encode package names
which could lead to missing data in case if e.g. there is slash (/) in
package name
---
 src/ahriman/core/status/web_client.py        | 6 +++---
 tests/ahriman/core/status/test_web_client.py | 4 +++-
 2 files changed, 6 insertions(+), 4 deletions(-)

diff --git a/src/ahriman/core/status/web_client.py b/src/ahriman/core/status/web_client.py
index 6214b513..45a05a90 100644
--- a/src/ahriman/core/status/web_client.py
+++ b/src/ahriman/core/status/web_client.py
@@ -94,7 +94,7 @@ class WebClient(Client, SyncAhrimanClient):
         Returns:
             str: full url for web service for logs
         """
-        return f"{self.address}/api/v1/packages/{package_base}/changes"
+        return f"{self.address}/api/v1/packages/{urlencode(package_base)}/changes"
 
     def _logs_url(self, package_base: str) -> str:
         """
@@ -106,7 +106,7 @@ class WebClient(Client, SyncAhrimanClient):
         Returns:
             str: full url for web service for logs
         """
-        return f"{self.address}/api/v1/packages/{package_base}/logs"
+        return f"{self.address}/api/v1/packages/{urlencode(package_base)}/logs"
 
     def _package_url(self, package_base: str = "") -> str:
         """
@@ -118,7 +118,7 @@ class WebClient(Client, SyncAhrimanClient):
         Returns:
             str: full url of web service for specific package base
         """
-        suffix = f"/{package_base}" if package_base else ""
+        suffix = f"/{urlencode(package_base)}" if package_base else ""
         return f"{self.address}/api/v1/packages{suffix}"
 
     def _status_url(self) -> str:
diff --git a/tests/ahriman/core/status/test_web_client.py b/tests/ahriman/core/status/test_web_client.py
index 2ec25c38..c174d396 100644
--- a/tests/ahriman/core/status/test_web_client.py
+++ b/tests/ahriman/core/status/test_web_client.py
@@ -12,7 +12,6 @@ from ahriman.models.changes import Changes
 from ahriman.models.internal_status import InternalStatus
 from ahriman.models.log_record_id import LogRecordId
 from ahriman.models.package import Package
-from ahriman.models.worker import Worker
 
 
 def test_parse_address(configuration: Configuration) -> None:
@@ -39,6 +38,7 @@ def test_changes_url(web_client: WebClient, package_ahriman: Package) -> None:
     """
     assert web_client._changes_url(package_ahriman.base).startswith(web_client.address)
     assert web_client._changes_url(package_ahriman.base).endswith(f"/api/v1/packages/{package_ahriman.base}/changes")
+    assert web_client._changes_url("some/package%name").endswith("/api/v1/packages/some%2Fpackage%25name/changes")
 
 
 def test_logs_url(web_client: WebClient, package_ahriman: Package) -> None:
@@ -47,6 +47,7 @@ def test_logs_url(web_client: WebClient, package_ahriman: Package) -> None:
     """
     assert web_client._logs_url(package_ahriman.base).startswith(web_client.address)
     assert web_client._logs_url(package_ahriman.base).endswith(f"/api/v1/packages/{package_ahriman.base}/logs")
+    assert web_client._logs_url("some/package%name").endswith("/api/v1/packages/some%2Fpackage%25name/logs")
 
 
 def test_package_url(web_client: WebClient, package_ahriman: Package) -> None:
@@ -58,6 +59,7 @@ def test_package_url(web_client: WebClient, package_ahriman: Package) -> None:
 
     assert web_client._package_url(package_ahriman.base).startswith(web_client.address)
     assert web_client._package_url(package_ahriman.base).endswith(f"/api/v1/packages/{package_ahriman.base}")
+    assert web_client._package_url("some/package%name").endswith("/api/v1/packages/some%2Fpackage%25name")
 
 
 def test_status_url(web_client: WebClient) -> None: