WIP: Endpoint() constructor: Roundtrip the URL through URIs.resolvereference(), and make sure it is unchanged

Project.toml

@@ -9,18 +9,20 @@ HTTP = "cd3eb016-35fb-5094-929b-558a96fad6f3"
 JSON3 = "0f8b85d8-7281-11e9-16c2-39a750bddbf1"
 StructTypes = "856f2bd8-1eba-4b0a-8007-ebc267875bd4"
 TimeZones = "f269a46b-ccf7-5d73-abea-4c690281aa53"
+URIs = "5c2747f8-b7ea-4ff2-ba2e-563bfd36b1d4"
 UUIDs = "cf7118a7-6976-5b1a-9a39-7adc72f591a4"
 
 [compat]
 HTTP = "0.9, 1"
 JSON3 = "1"
 StructTypes = "1"
 TimeZones = "1"
+URIs = "1.6" # Must be >= 1.6, to get https://github.com/JuliaWeb/URIs.jl/pull/66
 julia = "1.6"
 
 [extras]
-Test = "8dfed614-e22c-5e08-85e1-65c5234f0b40"
 Logging = "56ddb016-857b-54e1-b83d-db4d58db5568"
+Test = "8dfed614-e22c-5e08-85e1-65c5234f0b40"
 
 [targets]
 test = ["Test", "Logging"]

src/GitForge.jl

@@ -6,6 +6,7 @@ using Base.StackTraces: StackTrace
 using Dates
 using Dates: Period, UTC, now
 using HTTP: HTTP
+using URIs: URIs
 using UUIDs: UUID
 using JSON3: JSON3, @writechar, @check, realloc!
 using StructTypes: StructTypes, UnorderedStruct, StructType, DictType, StringType

src/forge.jl

@@ -154,6 +154,35 @@ function JSON3.write(ctx::FieldContext{FORGE, T}, buf, pos, len, x::T; kw...) wh
     return buf, pos, len
 end
 
+function assert_check_endpoint_url(url::AbstractString)
+    # Do not allow path navigation in URLs
+    # Disallowed pattern: ..
+    if occursin(r"\.\.", url)
+        throw(ArgumentError("URLs cannot contain path navigation"))
+    end
+
+    # Additional disallowed patterns:
+    # ../, ..\, /.., \.., ./, .\, /./, \.\
+    PATH_TRAVERSAL = r"(?:\.{2,}[\/\\]|\.{1,}[\/\\]|[\/\\]\.{2,}|[\/\\]\.{1,}[\/\\])"
+    if occursin(PATH_TRAVERSAL, url)
+        throw(ArgumentError("URLs cannot contain path navigation"))
+    end
+
+    # do not allow new lines or carriage returns in URLs
+    if occursin(r"\s", url)
+        throw(ArgumentError("URLs cannot contain line breaks"))
+    end
+
+    # Roundtrip the URL through `URIs.resolvereference()`, and make sure it is unchanged
+    new_path = URIs.resolvereference("https://example.invalid/", url).path
+    url_leading_slash = "/" * url
+    if (new_path != url) && (new_path != url_leading_slash)
+        throw(ArgumentError("URLs cannot contain path navigation: $(url)"))
+    end
+
+    return nothing
+end
+
 """
     Endpoint(
         method::Symbol,
@@ -187,14 +216,7 @@ struct Endpoint
         query::Dict=Dict(),
         allow_404::Bool=false,
     )
-        # do not allow path navigation in URLs
-        if occursin(r"\.\.", url)
-            throw(ArgumentError("URLs cannot contain path navigation"))
-        end
-        # do not allow new lines or carriage returns in URLs
-        if occursin(r"\s", url)
-            throw(ArgumentError("URLs cannot contain line breaks"))
-        end
+        assert_check_endpoint_url(url)
         return new(method, url, headers, query, allow_404)
     end
 end