Update APIs to only accept encoded repository name that contains slash

Update APIs to only accept encoded repository name that contains slash

Signed-off-by: Wenkai Yin <yinw@vmware.com>
This commit is contained in:
Wenkai Yin 2020-04-04 11:06:22 +08:00
parent 42801b76e2
commit 7188e01569
7 changed files with 9 additions and 203 deletions

View File

@ -53,11 +53,7 @@ paths:
$ref: '#/responses/404' $ref: '#/responses/404'
'500': '500':
$ref: '#/responses/500' $ref: '#/responses/500'
# the _self suffix here is used to avoid the conflict of repository name and URL path /projects/{project_name}/repositories/{repository_name}:
# e.g. the repository name can be "library/artifacts", we cannot distinguish the URL
# "GET /projects/{project_name}/repositories/library/artifacts" is getting repository
# or listing artifacts
/projects/{project_name}/repositories/{repository_name}/_self:
get: get:
summary: Get repository summary: Get repository
description: Get the repository specified by name description: Get the repository specified by name
@ -671,7 +667,7 @@ parameters:
repositoryName: repositoryName:
name: repository_name name: repository_name
in: path in: path
description: The name of the repository description: The name of the repository. If it contains slash, encode it with URL encoding. e.g. a/b -> a%252Fb
required: true required: true
type: string type: string
reference: reference:

View File

@ -16,12 +16,13 @@ package artifact
import ( import (
"fmt" "fmt"
"github.com/goharbor/harbor/src/server/v2.0/models" "net/url"
cmodels "github.com/goharbor/harbor/src/common/models" cmodels "github.com/goharbor/harbor/src/common/models"
"github.com/goharbor/harbor/src/common/utils" "github.com/goharbor/harbor/src/common/utils"
"github.com/goharbor/harbor/src/controller/tag" "github.com/goharbor/harbor/src/controller/tag"
"github.com/goharbor/harbor/src/pkg/artifact" "github.com/goharbor/harbor/src/pkg/artifact"
"github.com/goharbor/harbor/src/server/v2.0/models"
) )
// Artifact is the overall view of artifact // Artifact is the overall view of artifact
@ -39,6 +40,8 @@ func (artifact *Artifact) SetAdditionLink(addition, version string) {
} }
projectName, repo := utils.ParseRepository(artifact.RepositoryName) projectName, repo := utils.ParseRepository(artifact.RepositoryName)
// encode slash as %252F
repo = url.PathEscape(url.PathEscape(repo))
href := fmt.Sprintf("/api/%s/projects/%s/repositories/%s/artifacts/%s/additions/%s", version, projectName, repo, artifact.Digest, addition) href := fmt.Sprintf("/api/%s/projects/%s/repositories/%s/artifacts/%s/additions/%s", version, projectName, repo, artifact.Digest, addition)
artifact.AdditionLinks[addition] = &AdditionLink{HREF: href, Absolute: false} artifact.AdditionLinks[addition] = &AdditionLink{HREF: href, Absolute: false}

View File

@ -1,100 +0,0 @@
// Copyright Project Harbor Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package path
import (
"net/http"
"net/url"
"regexp"
"github.com/goharbor/harbor/src/common/api"
"github.com/goharbor/harbor/src/server/middleware"
)
var (
defaultRegexps = []*regexp.Regexp{
regexp.MustCompile(`^/api/` + api.APIVersion + `/projects/.*/repositories/(.*)/_self/?$`),
regexp.MustCompile(`^/api/` + api.APIVersion + `/projects/.*/repositories/(.*)/artifacts/?$`),
regexp.MustCompile(`^/api/` + api.APIVersion + `/projects/.*/repositories/(.*)/artifacts/.*$`),
}
)
// EscapeMiddleware middleware which escape path parameters for swagger APIs
func EscapeMiddleware() func(http.Handler) http.Handler {
return middleware.New(func(w http.ResponseWriter, r *http.Request, next http.Handler) {
for _, re := range defaultRegexps {
if re.MatchString(r.URL.Path) {
r.URL.Path = escape(re, r.URL.Path)
break
}
}
next.ServeHTTP(w, r)
})
}
func escape(re *regexp.Regexp, path string) string {
return replaceAllSubmatchFunc(re, path, func(groups []string) []string {
var results []string
for _, group := range groups {
results = append(results, url.PathEscape(group))
}
return results
}, -1)
}
func replaceAllSubmatchFunc(re *regexp.Regexp, src string, repl func([]string) []string, n int) string {
var result string
last := 0
for _, match := range re.FindAllSubmatchIndex([]byte(src), n) {
// Append string between our last match and this one (i.e. non-matched string).
matchStart := match[0]
matchEnd := match[1]
result = result + src[last:matchStart]
last = matchEnd
// Determine the groups / submatch string and indices.
groups := []string{}
indices := [][2]int{}
for i := 2; i < len(match); i += 2 {
start := match[i]
end := match[i+1]
groups = append(groups, src[start:end])
indices = append(indices, [2]int{start, end})
}
// Replace the groups
groups = repl(groups)
// Append match data.
lastGroup := matchStart
for i, newValue := range groups {
// Append string between our last group match and this one (i.e. non-group-matched string)
groupStart := indices[i][0]
groupEnd := indices[i][1]
result = result + src[lastGroup:groupStart]
lastGroup = groupEnd
// Append the new group value.
result = result + newValue
}
result = result + src[lastGroup:matchEnd] // remaining
}
result = result + src[last:] // remaining
return result
}

View File

@ -1,84 +0,0 @@
// Copyright Project Harbor Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package path
import (
"net/http"
"net/http/httptest"
"regexp"
"testing"
)
func Test_escape(t *testing.T) {
re := regexp.MustCompile(`/api/v2.0/projects/.*/repositories/(.*)/artifacts`)
type args struct {
re *regexp.Regexp
path string
}
tests := []struct {
name string
args args
want string
}{
{
"/api/v2.0/projects/library/repositories/photon/artifacts",
args{re, "/api/v2.0/projects/library/repositories/photon/artifacts"},
"/api/v2.0/projects/library/repositories/photon/artifacts",
},
{
"/api/v2.0/projects/library/repositories/photon/hello-world/artifacts",
args{re, "/api/v2.0/projects/library/repositories/photon/hello-world/artifacts"},
"/api/v2.0/projects/library/repositories/photon%2Fhello-world/artifacts",
},
{
"/api/v2.0/projects/library/repositories/photon/hello-world/artifacts/digest/scan",
args{re, "/api/v2.0/projects/library/repositories/photon/hello-world/artifacts/digest/scan"},
"/api/v2.0/projects/library/repositories/photon%2Fhello-world/artifacts/digest/scan",
},
{
"/api/v2.0/projects/library/repositories",
args{re, "/api/v2.0/projects/library/repositories"},
"/api/v2.0/projects/library/repositories",
},
{
"/api/v2.0/projects/library/repositories/hello/mariadb/_self",
args{regexp.MustCompile(`^/api/v2.0/projects/.*/repositories/(.*)/_self`), "/api/v2.0/projects/library/repositories/hello/mariadb/_self"},
"/api/v2.0/projects/library/repositories/hello%2Fmariadb/_self",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
if got := escape(tt.args.re, tt.args.path); got != tt.want {
t.Errorf("escape() = %v, want %v", got, tt.want)
}
})
}
}
func TestEscapeMiddleware(t *testing.T) {
r := httptest.NewRequest(http.MethodGet, "/api/v2.0/projects/library/repositories/hello/mariadb/_self", nil)
w := httptest.NewRecorder()
next := http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
if r.URL.Path != "/api/v2.0/projects/library/repositories/hello%2Fmariadb/_self" {
t.Errorf("escape middleware failed")
}
w.WriteHeader(http.StatusOK)
})
EscapeMiddleware()(next).ServeHTTP(w, r)
}

View File

@ -139,12 +139,6 @@ func (b *BaseAPI) Links(ctx context.Context, u *url.URL, total, pageNumber, page
return links return links
} }
ul := *u ul := *u
// try to unescape the repository name which contains escaped slashes
if escapedPath, err := url.PathUnescape(ul.Path); err == nil {
ul.Path = escapedPath
} else {
log.Errorf("failed to unescape the path %s: %v", ul.Path, err)
}
// prev // prev
if pageNumber > 1 && (pageNumber-1)*pageSize < total { if pageNumber > 1 && (pageNumber-1)*pageSize < total {
q := ul.Query() q := ul.Query()

View File

@ -100,9 +100,9 @@ func (b *baseHandlerTestSuite) TestLinks() {
links = b.base.Links(nil, url, 3, 2, 1) links = b.base.Links(nil, url, 3, 2, 1)
b.Require().Len(links, 2) b.Require().Len(links, 2)
b.Equal("prev", links[0].Rel) b.Equal("prev", links[0].Rel)
b.Equal("http://localhost/api/library/hello-world/artifacts?page=1&page_size=1&q=a=~b", links[0].URL) b.Equal("http://localhost/api/library%252Fhello-world/artifacts?page=1&page_size=1&q=a=~b", links[0].URL)
b.Equal("next", links[1].Rel) b.Equal("next", links[1].Rel)
b.Equal("http://localhost/api/library/hello-world/artifacts?page=3&page_size=1&q=a=~b", links[1].URL) b.Equal("http://localhost/api/library%252Fhello-world/artifacts?page=3&page_size=1&q=a=~b", links[1].URL)
} }
func TestBaseHandler(t *testing.T) { func TestBaseHandler(t *testing.T) {

View File

@ -21,7 +21,6 @@ import (
serror "github.com/goharbor/harbor/src/server/error" serror "github.com/goharbor/harbor/src/server/error"
"github.com/goharbor/harbor/src/server/middleware" "github.com/goharbor/harbor/src/server/middleware"
"github.com/goharbor/harbor/src/server/middleware/blob" "github.com/goharbor/harbor/src/server/middleware/blob"
"github.com/goharbor/harbor/src/server/middleware/path"
"github.com/goharbor/harbor/src/server/middleware/quota" "github.com/goharbor/harbor/src/server/middleware/quota"
"github.com/goharbor/harbor/src/server/v2.0/restapi" "github.com/goharbor/harbor/src/server/v2.0/restapi"
) )
@ -45,9 +44,7 @@ func New() http.Handler {
api.ServeError = serveError api.ServeError = serveError
// HACK: Use path.EscapeMiddleware to escape same patterns of the URL before the swagger handler return h
// eg /api/v2.0/projects/library/repositories/hello/world/artifacts to /api/v2.0/projects/library/repositories/hello%2Fworld/artifacts
return path.EscapeMiddleware()(h)
} }
// Before executing operation handler, go-swagger will bind a parameters object to a request and validate the request, // Before executing operation handler, go-swagger will bind a parameters object to a request and validate the request,