Strengthen the input validation for /documentation/* requests. (dart-lang#3630)

* Strengthen the input validation for /documentation/* requests.

* More escaping in URLs

Author: isoos

app/lib/frontend/handlers/documentation.dart

@@ -6,6 +6,10 @@ import 'dart:async';
 import 'dart:io';
 
 import 'package:http_parser/http_parser.dart';
+import 'package:path/path.dart' as p;
+// ignore: implementation_imports
+import 'package:pub_package_reader/src/names.dart';
+import 'package:pub_semver/pub_semver.dart';
 import 'package:shelf/shelf.dart' as shelf;
 
 import '../../dartdoc/backend.dart';
@@ -26,7 +30,7 @@ Future<shelf.Response> documentationHandler(shelf.Request request) async {
   if (redirectDartdocPages.containsKey(docFilePath.package)) {
     return redirectResponse(redirectDartdocPages[docFilePath.package]);
   }
-  if (docFilePath.package == null || docFilePath.version == null) {
+  if (docFilePath.package != null && docFilePath.version == null) {
     return redirectResponse(pkgDocUrl(docFilePath.package, isLatest: true));
   }
   if (docFilePath.path == null) {
@@ -108,13 +112,17 @@ DocFilePath parseRequestUri(Uri uri) {
   if (uri.pathSegments[0] != 'documentation') return null;
 
   final String package = uri.pathSegments[1];
-  if (package.isEmpty) return null;
+  // reject empty or invalid package names
+  if (package.isEmpty || !identifierExpr.hasMatch(package)) {
+    return null;
+  }
   if (segmentCount == 2) {
     return DocFilePath(package, null, null);
   }
 
   final String version = uri.pathSegments[2];
-  if (version.isEmpty) {
+  // reject empty or invalid version names
+  if (!_isValidVersion(version)) {
     return DocFilePath(package, null, null);
   }
   if (segmentCount == 3) {
@@ -123,11 +131,21 @@ DocFilePath parseRequestUri(Uri uri) {
 
   final relativeSegments =
       uri.pathSegments.skip(3).where((s) => s.isNotEmpty).toList();
-  String path = relativeSegments.join('/');
-  if (path.isEmpty) {
-    path = 'index.html';
-  } else if (path.isNotEmpty && !relativeSegments.last.contains('.')) {
-    path = '$path/index.html';
+  var pathSegments = relativeSegments;
+  if (relativeSegments.isEmpty || !relativeSegments.last.contains('.')) {
+    pathSegments = [...relativeSegments, 'index.html'];
   }
+  final path = p.normalize(p.joinAll(pathSegments));
   return DocFilePath(package, version, path);
 }
+
+bool _isValidVersion(String version) {
+  if (version.trim().isEmpty) return false;
+  if (version == 'latest') return true;
+  try {
+    Version.parse(version);
+  } on FormatException catch (_) {
+    return false;
+  }
+  return true;
+}

app/lib/shared/urls.dart

@@ -7,7 +7,6 @@ import 'package:path/path.dart' as p;
 import '../frontend/request_context.dart' show requestContext;
 import '../package/overrides.dart';
 import '../search/search_service.dart' show SearchOrder, SearchQuery;
-import 'versions.dart';
 
 export '../search/search_service.dart' show SearchOrder;
 
@@ -18,21 +17,25 @@ const siteRoot = 'https://$primaryHost';
 const dartSiteRoot = 'https://dart.dev';
 const httpsApiDartDev = 'https://api.dart.dev/';
 
+final _siteRootUri = Uri.parse('$siteRoot/');
+final _pathRootUri = Uri(path: '/');
+
 String pkgPageUrl(
   String package, {
   String version,
   bool includeHost = false,
   String fragment,
 }) {
-  String url = includeHost ? siteRoot : '';
-  url += '/packages/$package';
-  if (version != null) {
-    url += '/versions/$version';
-  }
-  if (fragment != null) {
-    url += '#$fragment';
-  }
-  return url;
+  final segments = <String>[
+    'packages',
+    package,
+    if (version != null) 'versions',
+    if (version != null) version,
+  ];
+  final baseUri = includeHost ? _siteRootUri : _pathRootUri;
+  return baseUri
+      .resolveUri(Uri(pathSegments: segments, fragment: fragment))
+      .toString();
 }
 
 String pkgReadmeUrl(String package, {String version}) =>
@@ -80,14 +83,17 @@ String pkgDocUrl(
   bool omitTrailingSlash = false,
   bool isLatest = false,
 }) {
-  String url = includeHost ? siteRoot : '';
-  url += '/documentation/$package';
-  if (isLatest) {
+  if (isLatest || version == null) {
     version = 'latest';
   }
-  if (version != null) {
-    url += '/$version';
-  }
+  final segments = <String>[
+    'documentation',
+    package,
+    version,
+  ];
+  final baseUri = includeHost ? _siteRootUri : _pathRootUri;
+  String url = baseUri.resolveUri(Uri(pathSegments: segments)).toString();
+
   if (relativePath != null) {
     url = p.join(url, relativePath);
   } else if (!omitTrailingSlash) {
@@ -240,15 +246,6 @@ String inferServiceProviderName(String url) {
   return null;
 }
 
-String panaUrl() {
-  return '$siteRoot/packages/pana';
-}
-
-/// Returns the versioned documentation URL for pana's maintenance suggestions.
-String panaMaintenanceUrl() {
-  return '$siteRoot/documentation/pana/$panaVersion/#maintenance-score';
-}
-
 /// Returns the consent URL that will be sent to the invited user.
 String consentUrl(String consentId) => '$siteRoot/consent?id=$consentId';
 

app/test/frontend/handlers/documentation_test.dart

@@ -25,34 +25,43 @@ void main() {
       }
     }
 
-    test('/documentation', () {
-      testUri('/documentation', null);
+    test('bad prefix', () {
+      testUri('/doc/pkg/latest/', null);
     });
-    test('/documentation/', () {
+
+    test('insufficient prefix', () {
+      testUri('/documentation', null);
       testUri('/documentation/', null);
     });
-    test('/documentation/angular', () {
-      testUri('/documentation/angular', 'angular');
+
+    test('bad package name', () {
+      testUri('/documentation//latest/', null);
+      testUri('/documentation/<pkg>/latest/', null);
+      testUri('/documentation/pkg with space/latest/', null);
     });
-    test('/documentation/angular/', () {
+
+    test('no version specified', () {
+      testUri('/documentation/angular', 'angular');
       testUri('/documentation/angular/', 'angular');
     });
-    test('/documentation/angular/4.0.0+2', () {
-      testUri('/documentation/angular/4.0.0+2', 'angular', '4.0.0+2');
+
+    test('bad version', () {
+      testUri('/documentation/pkg//', 'pkg');
+      testUri('/documentation/pkg/first-release/', 'pkg');
+      testUri('/documentation/pkg/1.2.3.4.5.6/', 'pkg');
     });
-    test('/documentation/angular/4.0.0+2/', () {
+
+    test('version without path', () {
+      testUri('/documentation/angular/4.0.0+2', 'angular', '4.0.0+2');
       testUri('/documentation/angular/4.0.0+2/', 'angular', '4.0.0+2',
           'index.html');
     });
-    test('/documentation/angular/4.0.0+2/subdir/', () {
+
+    test('version with a path', () {
       testUri('/documentation/angular/4.0.0+2/subdir/', 'angular', '4.0.0+2',
           'subdir/index.html');
-    });
-    test('/documentation/angular/4.0.0+2/file.html', () {
       testUri('/documentation/angular/4.0.0+2/file.html', 'angular', '4.0.0+2',
           'file.html');
-    });
-    test('/documentation/angular/4.0.0+2/file.html', () {
       testUri('/documentation/angular/4.0.0+2/file.html', 'angular', '4.0.0+2',
           'file.html');
     });
@@ -76,7 +85,7 @@ void main() {
     testWithServices('/documentation/foor/bar redirect', () async {
       await expectRedirectResponse(
         await issueGet('/documentation/foor/bar'),
-        'https://pub.dev/documentation/foor/bar/',
+        '/documentation/foor/latest/',
       );
     });
 

app/test/shared/urls_test.dart

@@ -12,6 +12,8 @@ void main() {
       expect(pkgPageUrl('foo_bar'), '/packages/foo_bar');
       expect(pkgPageUrl('foo_bar', version: '1.0.0'),
           '/packages/foo_bar/versions/1.0.0');
+      expect(pkgPageUrl('foo_bar', version: '1.0.0', fragment: 'hash'),
+          '/packages/foo_bar/versions/1.0.0#hash');
     });
 
     test('with host', () {
@@ -24,7 +26,7 @@ void main() {
 
   group('documentation page', () {
     test('without host', () {
-      expect(pkgDocUrl('foo_bar'), '/documentation/foo_bar/');
+      expect(pkgDocUrl('foo_bar'), '/documentation/foo_bar/latest/');
       expect(pkgDocUrl('foo_bar', version: '1.0.0'),
           '/documentation/foo_bar/1.0.0/');
       expect(pkgDocUrl('foo_bar', version: '1.0.0', omitTrailingSlash: true),
@@ -33,7 +35,7 @@ void main() {
 
     test('with host', () {
       expect(pkgDocUrl('foo_bar', includeHost: true),
-          'https://pub.dev/documentation/foo_bar/');
+          'https://pub.dev/documentation/foo_bar/latest/');
       expect(pkgDocUrl('foo_bar', version: '1.0.0', includeHost: true),
           'https://pub.dev/documentation/foo_bar/1.0.0/');
       expect(
@@ -180,6 +182,12 @@ void main() {
   });
 
   group('search urls', () {
+    test('non-identifier characters', () {
+      expect(searchUrl(q: 'a b'), '/packages?q=a+b');
+      expect(searchUrl(q: '<a>'), '/packages?q=%3Ca%3E');
+      expect(searchUrl(q: 'ó'), '/packages?q=%C3%B3');
+    });
+
     test('sdk:*', () {
       expect(searchUrl(), '/packages');
       expect(searchUrl(q: 'abc'), '/packages?q=abc');