internal/report: escape module path/version in requests
The module proxy protocol escapes upper-case letters in module paths
and versions, converting (for example) example.com/M to example.com/!m.
Perform this escaping when consulting the proxy.
Change-Id: I5751e020db53558f18f906a6215e71eb40d9c58d
Reviewed-on: https://go-review.googlesource.com/c/vulndb/+/377574
Trust: Damien Neil <dneil@google.com>
Run-TryBot: Damien Neil <dneil@google.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Jonathan Amsterdam <jba@google.com>
diff --git a/internal/report/lint.go b/internal/report/lint.go
index 0633b7c..2c667b5 100644
--- a/internal/report/lint.go
+++ b/internal/report/lint.go
@@ -32,9 +32,13 @@
}
}
-func getModVersions(module string) (_ map[string]bool, err error) {
- defer derrors.Wrap(&err, "getModVersions(%q)", module)
- resp, err := http.Get(fmt.Sprintf("%s/%s/@v/list", proxyURL, module))
+func getModVersions(path string) (_ map[string]bool, err error) {
+ defer derrors.Wrap(&err, "getModVersions(%q)", path)
+ escaped, err := module.EscapePath(path)
+ if err != nil {
+ return nil, err
+ }
+ resp, err := http.Get(fmt.Sprintf("%s/%s/@v/list", proxyURL, escaped))
if err != nil {
return nil, err
}
@@ -50,9 +54,17 @@
return versions, nil
}
-func getCanonicalModName(module, version string) (_ string, err error) {
- defer derrors.Wrap(&err, "getCanonicalModName(%q, %q)", module, version)
- resp, err := http.Get(fmt.Sprintf("%s/%s/@v/%s.mod", proxyURL, module, version))
+func getCanonicalModName(path, version string) (_ string, err error) {
+ defer derrors.Wrap(&err, "getCanonicalModName(%q, %q)", path, version)
+ escapedPath, err := module.EscapePath(path)
+ if err != nil {
+ return "", err
+ }
+ escapedVersion, err := module.EscapeVersion(version)
+ if err != nil {
+ return "", err
+ }
+ resp, err := http.Get(fmt.Sprintf("%s/%s/@v/%s.mod", proxyURL, escapedPath, escapedVersion))
if err != nil {
return "", err
}
@@ -66,7 +78,7 @@
return "", err
}
if m.Module == nil {
- return "", fmt.Errorf("unable to retrieve module information for %s", module)
+ return "", fmt.Errorf("unable to retrieve module information for %s", path)
}
return m.Module.Mod.Path, nil
}