Merge pull request #5967 from seipan/fix/url-encode

Fix infinite loop in HTTP client by validating URLs before requests
2026-05-17 18:25:26 +00:00 · 2025-08-24 12:13:06 -07:00
parent 4468c8c9c7 2a79ea148d
commit 39086340ad
2 changed files with 17 additions and 1 deletions
--- a/api/internal/loader/fileloader.go
+++ b/api/internal/loader/fileloader.go
@@ -311,7 +311,11 @@ func (fl *FileLoader) httpClientGetContent(path string) ([]byte, error) {
 	} else {
 		hc = &http.Client{}
 	}
-	resp, err := hc.Get(path)
+	parsedURL, err := url.ParseRequestURI(path)
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	resp, err := hc.Get(parsedURL.String())
 	if err != nil {
 		return nil, errors.Wrap(err)
 	}
--- a/api/internal/loader/fileloader_test.go
+++ b/api/internal/loader/fileloader_test.go
@@ -676,3 +676,15 @@ func setupOnDisk(t *testing.T) (filesys.FileSystem, filesys.ConfirmedDir) {
 	})
 	return fSys, dir
 }
+
+// TestLoaderHTTPMalformedURL tests that malformed URLs are properly handled
+// to prevent infinite loops in http.Client.Get
+func TestLoaderHTTPMalformedURL(t *testing.T) {
+	require := require.New(t)
+	malformedURL := "https://example.com/example?ref=main - ../../example/example.yaml"
+	l1 := NewLoaderOrDie(
+		RestrictionRootOnly, MakeFakeFs([]testData{}), filesys.Separator)
+	_, err := l1.Load(malformedURL)
+	require.Error(err)
+	require.Equal("HTTP Error: status code 500 (Internal Server Error)", err.Error())
+}