Google Git
Sign in
go / vulndb / 3cc86e28b752a48b5962a8cec5e1554fc6a4d044^! / .
commit3cc86e28b752a48b5962a8cec5e1554fc6a4d044[log] [tgz]
authorDamien Neil <dneil@google.com>Mon Jan 10 16:20:08 2022 -0800
committerDamien Neil <dneil@google.com>Tue Jan 11 16:19:49 2022 +0000
tree24df4f338ea1b2693373570f2c81907c15406715
parent76d51cb0249508fcfde89fe9bca7ce2ecf633400 [diff]
internal/report: escape module path/version in requests

The module proxy protocol escapes upper-case letters in module paths
and versions, converting (for example) example.com/M to example.com/!m.
Perform this escaping when consulting the proxy.

Change-Id: I5751e020db53558f18f906a6215e71eb40d9c58d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377574
Trust: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>

diff --git a/internal/report/lint.go b/internal/report/lint.go
index 0633b7c..2c667b5 100644
--- a/internal/report/lint.go
+++ b/internal/report/lint.go

@@ -32,9 +32,13 @@
 	}
 }
 
-func getModVersions(module string) (_ map[string]bool, err error) {
-	defer derrors.Wrap(&err, "getModVersions(%q)", module)
-	resp, err := http.Get(fmt.Sprintf("%s/%s/@v/list", proxyURL, module))
+func getModVersions(path string) (_ map[string]bool, err error) {
+	defer derrors.Wrap(&err, "getModVersions(%q)", path)
+	escaped, err := module.EscapePath(path)
+	if err != nil {
+		return nil, err
+	}
+	resp, err := http.Get(fmt.Sprintf("%s/%s/@v/list", proxyURL, escaped))
 	if err != nil {
 		return nil, err
 	}
@@ -50,9 +54,17 @@
 	return versions, nil
 }
 
-func getCanonicalModName(module, version string) (_ string, err error) {
-	defer derrors.Wrap(&err, "getCanonicalModName(%q, %q)", module, version)
-	resp, err := http.Get(fmt.Sprintf("%s/%s/@v/%s.mod", proxyURL, module, version))
+func getCanonicalModName(path, version string) (_ string, err error) {
+	defer derrors.Wrap(&err, "getCanonicalModName(%q, %q)", path, version)
+	escapedPath, err := module.EscapePath(path)
+	if err != nil {
+		return "", err
+	}
+	escapedVersion, err := module.EscapeVersion(version)
+	if err != nil {
+		return "", err
+	}
+	resp, err := http.Get(fmt.Sprintf("%s/%s/@v/%s.mod", proxyURL, escapedPath, escapedVersion))
 	if err != nil {
 		return "", err
 	}
@@ -66,7 +78,7 @@
 		return "", err
 	}
 	if m.Module == nil {
-		return "", fmt.Errorf("unable to retrieve module information for %s", module)
+		return "", fmt.Errorf("unable to retrieve module information for %s", path)
 	}
 	return m.Module.Mod.Path, nil
 }