Skip to content

Commit

Permalink
fix(git-host): disallow URI-encoded slash (%2F) in path
Browse files Browse the repository at this point in the history
PR-URL: #44
Credit: @ybiquitous
Close: #44
Reviewed-by: @isaacs
  • Loading branch information
ybiquitous authored and isaacs committed Aug 4, 2019
1 parent b681019 commit 3776fa5
Show file tree
Hide file tree
Showing 6 changed files with 30 additions and 1 deletion.
9 changes: 8 additions & 1 deletion git-host.js
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,14 @@ GitHost.prototype._fill = function (template, opts) {
var rawPath = vars.path
var rawProject = vars.project
Object.keys(vars).forEach(function (key) {
vars[key] = encodeURIComponent(vars[key])
var value = vars[key]
if (key === 'path' && typeof value === 'string') {
vars[key] = value.split('/').map(function (pathComponent) {
return encodeURIComponent(pathComponent)
}).join('/')
} else {
vars[key] = encodeURIComponent(value)
}
})
vars['auth@'] = rawAuth ? rawAuth + '@' : ''
vars['#fragment'] = rawFragment ? '#' + this.hashformat(rawFragment) : ''
Expand Down
5 changes: 5 additions & 0 deletions test/bitbucket.js
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,18 @@ test('fromUrl(bitbucket url)', function (t) {
if (!hostinfo) return
t.is(hostinfo.https(), 'git+https://bitbucket.org/111/222.git' + hash, label + ' -> https')
t.is(hostinfo.browse(), 'https://bitbucket.org/111/222' + (branch ? '/src/' + branch : ''), label + ' -> browse')
t.is(hostinfo.browse(''), 'https://bitbucket.org/111/222/src/' + (branch || 'master') + '/', label + ' -> browse(path)')
t.is(hostinfo.browse('C'), 'https://bitbucket.org/111/222/src/' + (branch || 'master') + '/C', label + ' -> browse(path)')
t.is(hostinfo.browse('C/D'), 'https://bitbucket.org/111/222/src/' + (branch || 'master') + '/C/D', label + ' -> browse(path)')
t.is(hostinfo.browse('C', 'A'), 'https://bitbucket.org/111/222/src/' + (branch || 'master') + '/C#a', label + ' -> browse(path, fragment)')
t.is(hostinfo.browse('C/D', 'A'), 'https://bitbucket.org/111/222/src/' + (branch || 'master') + '/C/D#a', label + ' -> browse(path, fragment)')
t.is(hostinfo.docs(), 'https://bitbucket.org/111/222' + (branch ? '/src/' + branch : '') + '#readme', label + ' -> docs')
t.is(hostinfo.ssh(), 'git@bitbucket.org:111/222.git' + hash, label + ' -> ssh')
t.is(hostinfo.sshurl(), 'git+ssh://git@bitbucket.org/111/222.git' + hash, label + ' -> sshurl')
t.is(hostinfo.shortcut(), 'bitbucket:111/222' + hash, label + ' -> shortcut')
t.is(hostinfo.file(''), 'https://bitbucket.org/111/222/raw/' + (branch || 'master') + '/', label + ' -> file')
t.is(hostinfo.file('C'), 'https://bitbucket.org/111/222/raw/' + (branch || 'master') + '/C', label + ' -> file')
t.is(hostinfo.file('C/D'), 'https://bitbucket.org/111/222/raw/' + (branch || 'master') + '/C/D', label + ' -> file')
t.is(hostinfo.tarball(), 'https://bitbucket.org/111/222/get/' + (branch || 'master') + '.tar.gz', label + ' -> tarball')
}

Expand Down
4 changes: 4 additions & 0 deletions test/gist.js
Original file line number Diff line number Diff line change
Expand Up @@ -13,14 +13,18 @@ test('fromUrl(gist url)', function (t) {
t.is(hostinfo.git(), 'git://gist.github.com/' + proj + '.git' + hash, label + ' -> git')
t.is(hostinfo.browse(), 'https://gist.github.com/' + proj + (branch ? '/' + branch : ''), label + ' -> browse')
t.is(hostinfo.browse('C'), 'https://gist.github.com/' + proj + (branch ? '/' + branch : '') + '#file-c', label + ' -> browse(path)')
t.is(hostinfo.browse('C/D'), 'https://gist.github.com/' + proj + (branch ? '/' + branch : '') + '#file-cd', label + ' -> browse(path)')
t.is(hostinfo.browse('C', 'A'), 'https://gist.github.com/' + proj + (branch ? '/' + branch : '') + '#file-c', label + ' -> browse(path, fragment)')
t.is(hostinfo.browse('C/D', 'A'), 'https://gist.github.com/' + proj + (branch ? '/' + branch : '') + '#file-cd', label + ' -> browse(path)')
t.is(hostinfo.bugs(), 'https://gist.github.com/' + proj, label + ' -> bugs')
t.is(hostinfo.docs(), 'https://gist.github.com/' + proj + (branch ? '/' + branch : ''), label + ' -> docs')
t.is(hostinfo.ssh(), 'git@gist.github.com:/' + proj + '.git' + hash, label + ' -> ssh')
t.is(hostinfo.sshurl(), 'git+ssh://git@gist.github.com/' + proj + '.git' + hash, label + ' -> sshurl')
t.is(hostinfo.shortcut(), 'gist:' + proj + hash, label + ' -> shortcut')
if (hostinfo.user) {
t.is(hostinfo.file(''), 'https://gist.githubusercontent.com/111/' + proj + '/raw/' + (branch ? branch + '/' : ''), label + ' -> file')
t.is(hostinfo.file('C'), 'https://gist.githubusercontent.com/111/' + proj + '/raw/' + (branch ? branch + '/' : '') + 'C', label + ' -> file')
t.is(hostinfo.file('C/D'), 'https://gist.githubusercontent.com/111/' + proj + '/raw/' + (branch ? branch + '/' : '') + 'C/D', label + ' -> file')
t.is(hostinfo.tarball(), 'https://gist.github.com/111/' + proj + '/archive/' + (branch || 'master') + '.tar.gz', label + ' -> tarball')
}
}
Expand Down
5 changes: 5 additions & 0 deletions test/github.js
Original file line number Diff line number Diff line change
Expand Up @@ -13,8 +13,11 @@ test('fromUrl(github url)', function (t) {
t.is(hostinfo.https(), 'git+https://github.com/111/222.git' + hash, label + ' -> https')
t.is(hostinfo.git(), 'git://github.com/111/222.git' + hash, label + ' -> git')
t.is(hostinfo.browse(), 'https://github.com/111/222' + treebranch, label + ' -> browse')
t.is(hostinfo.browse(''), 'https://github.com/111/222/tree/' + (branch || 'master') + '/', label + ' -> browse("")')
t.is(hostinfo.browse('C'), 'https://github.com/111/222/tree/' + (branch || 'master') + '/C', label + ' -> browse(path)')
t.is(hostinfo.browse('C/D'), 'https://github.com/111/222/tree/' + (branch || 'master') + '/C/D', label + ' -> browse(path)')
t.is(hostinfo.browse('C', 'A'), 'https://github.com/111/222/tree/' + (branch || 'master') + '/C#a', label + ' -> browse(path, fragment)')
t.is(hostinfo.browse('C/D', 'A'), 'https://github.com/111/222/tree/' + (branch || 'master') + '/C/D#a', label + ' -> browse(path, fragment)')
t.is(hostinfo.bugs(), 'https://github.com/111/222/issues', label + ' -> bugs')
t.is(hostinfo.docs(), 'https://github.com/111/222' + treebranch + '#readme', label + ' -> docs')
t.is(hostinfo.ssh(), 'git@github.com:111/222.git' + hash, label + ' -> ssh')
Expand All @@ -24,7 +27,9 @@ test('fromUrl(github url)', function (t) {
t.is(hostinfo.hash(), hash, ' -> hash')
t.is(hostinfo.path({ noCommittish: true }), '111/222', ' -> path (no committish)')
t.is(hostinfo.shortcut(), 'github:111/222' + hash, label + ' -> shortcut')
t.is(hostinfo.file(''), 'https://raw.githubusercontent.com/111/222/' + (branch || 'master') + '/', label + ' -> file')
t.is(hostinfo.file('C'), 'https://raw.githubusercontent.com/111/222/' + (branch || 'master') + '/C', label + ' -> file')
t.is(hostinfo.file('C/D'), 'https://raw.githubusercontent.com/111/222/' + (branch || 'master') + '/C/D', label + ' -> file')
t.is(hostinfo.tarball(), 'https://codeload.github.com/111/222/tar.gz/' + (branch || 'master'), label + ' -> tarball')
}

Expand Down
5 changes: 5 additions & 0 deletions test/gitlab.js
Original file line number Diff line number Diff line change
Expand Up @@ -10,13 +10,18 @@ test('fromUrl(gitlab url)', function (t) {
if (!hostinfo) return
t.is(hostinfo.https(), 'git+https://gitlab.com/111/222.git' + hash, label + ' -> https')
t.is(hostinfo.browse(), 'https://gitlab.com/111/222' + (branch ? '/tree/' + branch : ''), label + ' -> browse')
t.is(hostinfo.browse(''), 'https://gitlab.com/111/222/tree/' + (branch || 'master') + '/', label + ' -> browse(path)')
t.is(hostinfo.browse('C'), 'https://gitlab.com/111/222/tree/' + (branch || 'master') + '/C', label + ' -> browse(path)')
t.is(hostinfo.browse('C/D'), 'https://gitlab.com/111/222/tree/' + (branch || 'master') + '/C/D', label + ' -> browse(path)')
t.is(hostinfo.browse('C', 'A'), 'https://gitlab.com/111/222/tree/' + (branch || 'master') + '/C#a', label + ' -> browse(path, fragment)')
t.is(hostinfo.browse('C/D', 'A'), 'https://gitlab.com/111/222/tree/' + (branch || 'master') + '/C/D#a', label + ' -> browse(path, fragment)')
t.is(hostinfo.docs(), 'https://gitlab.com/111/222' + (branch ? '/tree/' + branch : '') + '#readme', label + ' -> docs')
t.is(hostinfo.ssh(), 'git@gitlab.com:111/222.git' + hash, label + ' -> ssh')
t.is(hostinfo.sshurl(), 'git+ssh://git@gitlab.com/111/222.git' + hash, label + ' -> sshurl')
t.is(hostinfo.shortcut(), 'gitlab:111/222' + hash, label + ' -> shortcut')
t.is(hostinfo.file(''), 'https://gitlab.com/111/222/raw/' + (branch || 'master') + '/', label + ' -> file')
t.is(hostinfo.file('C'), 'https://gitlab.com/111/222/raw/' + (branch || 'master') + '/C', label + ' -> file')
t.is(hostinfo.file('C/D'), 'https://gitlab.com/111/222/raw/' + (branch || 'master') + '/C/D', label + ' -> file')
t.is(hostinfo.tarball(), 'https://gitlab.com/111/222/repository/archive.tar.gz?ref=' + (branch || 'master'), label + ' -> tarball')
}

Expand Down
3 changes: 3 additions & 0 deletions test/https-with-inline-auth.js
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,16 @@ test('HTTPS GitHub URL with embedded auth -- generally not a good idea', functio
t.is(hostinfo.git(), 'git://user:pass@github.com/111/222.git' + hash, label + ' -> git')
t.is(hostinfo.browse(), 'https://github.com/111/222' + (branch ? '/tree/' + branch : ''), label + ' -> browse')
t.is(hostinfo.browse('C'), 'https://github.com/111/222/tree/' + (branch || 'master') + '/C', label + ' -> browse(path)')
t.is(hostinfo.browse('C/D'), 'https://github.com/111/222/tree/' + (branch || 'master') + '/C/D', label + ' -> browse(path)')
t.is(hostinfo.browse('C', 'A'), 'https://github.com/111/222/tree/' + (branch || 'master') + '/C#a', label + ' -> browse(path, fragment)')
t.is(hostinfo.browse('C/D', 'A'), 'https://github.com/111/222/tree/' + (branch || 'master') + '/C/D#a', label + ' -> browse(path, fragment)')
t.is(hostinfo.bugs(), 'https://github.com/111/222/issues', label + ' -> bugs')
t.is(hostinfo.docs(), 'https://github.com/111/222' + (branch ? '/tree/' + branch : '') + '#readme', label + ' -> docs')
t.is(hostinfo.ssh(), 'git@github.com:111/222.git' + hash, label + ' -> ssh')
t.is(hostinfo.sshurl(), 'git+ssh://git@github.com/111/222.git' + hash, label + ' -> sshurl')
t.is(hostinfo.shortcut(), 'github:111/222' + hash, label + ' -> shortcut')
t.is(hostinfo.file('C'), 'https://user:pass@raw.githubusercontent.com/111/222/' + (branch || 'master') + '/C', label + ' -> file')
t.is(hostinfo.file('C/D'), 'https://user:pass@raw.githubusercontent.com/111/222/' + (branch || 'master') + '/C/D', label + ' -> file')
}

// insecure protocols
Expand Down

0 comments on commit 3776fa5

Please sign in to comment.