fix: safe urls for packages

String catenation used for url generators didn't encode package names
which could lead to missing data in case if e.g. there is slash (/) in
package name
This commit is contained in:
Evgenii Alekseev 2024-01-03 14:28:20 +02:00
parent 0e6434faad
commit 6eeef39fe5
2 changed files with 6 additions and 4 deletions

View File

@ -94,7 +94,7 @@ class WebClient(Client, SyncAhrimanClient):
Returns: Returns:
str: full url for web service for logs str: full url for web service for logs
""" """
return f"{self.address}/api/v1/packages/{package_base}/changes" return f"{self.address}/api/v1/packages/{urlencode(package_base)}/changes"
def _logs_url(self, package_base: str) -> str: def _logs_url(self, package_base: str) -> str:
""" """
@ -106,7 +106,7 @@ class WebClient(Client, SyncAhrimanClient):
Returns: Returns:
str: full url for web service for logs str: full url for web service for logs
""" """
return f"{self.address}/api/v1/packages/{package_base}/logs" return f"{self.address}/api/v1/packages/{urlencode(package_base)}/logs"
def _package_url(self, package_base: str = "") -> str: def _package_url(self, package_base: str = "") -> str:
""" """
@ -118,7 +118,7 @@ class WebClient(Client, SyncAhrimanClient):
Returns: Returns:
str: full url of web service for specific package base str: full url of web service for specific package base
""" """
suffix = f"/{package_base}" if package_base else "" suffix = f"/{urlencode(package_base)}" if package_base else ""
return f"{self.address}/api/v1/packages{suffix}" return f"{self.address}/api/v1/packages{suffix}"
def _status_url(self) -> str: def _status_url(self) -> str:

View File

@ -12,7 +12,6 @@ from ahriman.models.changes import Changes
from ahriman.models.internal_status import InternalStatus from ahriman.models.internal_status import InternalStatus
from ahriman.models.log_record_id import LogRecordId from ahriman.models.log_record_id import LogRecordId
from ahriman.models.package import Package from ahriman.models.package import Package
from ahriman.models.worker import Worker
def test_parse_address(configuration: Configuration) -> None: def test_parse_address(configuration: Configuration) -> None:
@ -39,6 +38,7 @@ def test_changes_url(web_client: WebClient, package_ahriman: Package) -> None:
""" """
assert web_client._changes_url(package_ahriman.base).startswith(web_client.address) assert web_client._changes_url(package_ahriman.base).startswith(web_client.address)
assert web_client._changes_url(package_ahriman.base).endswith(f"/api/v1/packages/{package_ahriman.base}/changes") assert web_client._changes_url(package_ahriman.base).endswith(f"/api/v1/packages/{package_ahriman.base}/changes")
assert web_client._changes_url("some/package%name").endswith("/api/v1/packages/some%2Fpackage%25name/changes")
def test_logs_url(web_client: WebClient, package_ahriman: Package) -> None: def test_logs_url(web_client: WebClient, package_ahriman: Package) -> None:
@ -47,6 +47,7 @@ def test_logs_url(web_client: WebClient, package_ahriman: Package) -> None:
""" """
assert web_client._logs_url(package_ahriman.base).startswith(web_client.address) assert web_client._logs_url(package_ahriman.base).startswith(web_client.address)
assert web_client._logs_url(package_ahriman.base).endswith(f"/api/v1/packages/{package_ahriman.base}/logs") assert web_client._logs_url(package_ahriman.base).endswith(f"/api/v1/packages/{package_ahriman.base}/logs")
assert web_client._logs_url("some/package%name").endswith("/api/v1/packages/some%2Fpackage%25name/logs")
def test_package_url(web_client: WebClient, package_ahriman: Package) -> None: def test_package_url(web_client: WebClient, package_ahriman: Package) -> None:
@ -58,6 +59,7 @@ def test_package_url(web_client: WebClient, package_ahriman: Package) -> None:
assert web_client._package_url(package_ahriman.base).startswith(web_client.address) assert web_client._package_url(package_ahriman.base).startswith(web_client.address)
assert web_client._package_url(package_ahriman.base).endswith(f"/api/v1/packages/{package_ahriman.base}") assert web_client._package_url(package_ahriman.base).endswith(f"/api/v1/packages/{package_ahriman.base}")
assert web_client._package_url("some/package%name").endswith("/api/v1/packages/some%2Fpackage%25name")
def test_status_url(web_client: WebClient) -> None: def test_status_url(web_client: WebClient) -> None: