From 83e9c0b73fbb72fbb1667ceb3b9dcfffcc30b656 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Roth?= <neolynx@gmail.com>
Date: Thu, 10 Oct 2024 19:08:58 +0200
Subject: [PATCH] use PathEscape

---
 api/publish.go | 14 +++++++-------
 api/repos.go   |  2 +-
 utils/utils.go |  8 ++++++++
 3 files changed, 16 insertions(+), 8 deletions(-)

diff --git a/api/publish.go b/api/publish.go
index b05b43f56..946888b11 100644
--- a/api/publish.go
+++ b/api/publish.go
@@ -9,6 +9,7 @@ import (
 	"github.com/aptly-dev/aptly/deb"
 	"github.com/aptly-dev/aptly/pgp"
 	"github.com/aptly-dev/aptly/task"
+	"github.com/aptly-dev/aptly/utils"
 	"github.com/gin-gonic/gin"
 )
 
@@ -43,11 +44,10 @@ func getSigner(options *SigningOptions) (pgp.Signer, error) {
 	return signer, nil
 }
 
-// Replace '_' with '/' and double '__' with single '_', remove leading '/', remove '..'
-func parseEscapedPath(path string) string {
+// Replace '_' with '/' and double '__' with single '_', pathEscape
+func slashEscape(path string) string {
 	result := strings.Replace(strings.Replace(path, "_", "/", -1), "//", "_", -1)
-	result = strings.Replace(result, "..", "", -1)
-        result = strings.TrimPrefix(result, "/")
+	result = PathEscape(result)
 	if result == "" {
 		result = "."
 	}
@@ -88,7 +88,7 @@ func apiPublishList(c *gin.Context) {
 
 // POST /publish/:prefix
 func apiPublishRepoOrSnapshot(c *gin.Context) {
-	param := parseEscapedPath(c.Params.ByName("prefix"))
+	param := slashEscape(c.Params.ByName("prefix"))
 	storage, prefix := deb.ParsePrefix(param)
 
 	var b struct {
@@ -250,7 +250,7 @@ func apiPublishRepoOrSnapshot(c *gin.Context) {
 
 // PUT /publish/:prefix/:distribution
 func apiPublishUpdateSwitch(c *gin.Context) {
-	param := parseEscapedPath(c.Params.ByName("prefix"))
+	param := slashEscape(c.Params.ByName("prefix"))
 	storage, prefix := deb.ParsePrefix(param)
 	distribution := c.Params.ByName("distribution")
 
@@ -375,7 +375,7 @@ func apiPublishDrop(c *gin.Context) {
 	force := c.Request.URL.Query().Get("force") == "1"
 	skipCleanup := c.Request.URL.Query().Get("SkipCleanup") == "1"
 
-	param := parseEscapedPath(c.Params.ByName("prefix"))
+	param := slashEscape(c.Params.ByName("prefix"))
 	storage, prefix := deb.ParsePrefix(param)
 	distribution := c.Params.ByName("distribution")
 
diff --git a/api/repos.go b/api/repos.go
index 81425f999..1ee5fadce 100644
--- a/api/repos.go
+++ b/api/repos.go
@@ -620,7 +620,7 @@ func apiReposIncludePackageFromDir(c *gin.Context) {
 
 	var sources []string
 	var taskName string
-	dirParam := c.Params.ByName("dir")
+	dirParam := PathEscape(c.Params.ByName("dir"))
 	fileParam := c.Params.ByName("file")
 	if fileParam != "" && !verifyPath(fileParam) {
 		AbortWithJSONError(c, 400, fmt.Errorf("wrong file"))
diff --git a/utils/utils.go b/utils/utils.go
index 4d4734fc7..1116ec744 100644
--- a/utils/utils.go
+++ b/utils/utils.go
@@ -4,6 +4,7 @@ package utils
 import (
 	"fmt"
 	"os"
+	"strings"
 
 	"golang.org/x/sys/unix"
 )
@@ -22,3 +23,10 @@ func DirIsAccessible(filename string) error {
 	}
 	return nil
 }
+
+// Remove leading '/', remove '..'
+func PathEscape(path string) (result string) {
+	result = strings.Replace(path, "..", "", -1)
+	result = strings.TrimPrefix(result, "/")
+	return
+}