fix: harden registry — empty query guard, URL path traversal prevention

chuongld20 · claude · chuongld20 · commit bb1f6d93d29f · 2026-04-13T03:08:35.000+07:00
Review findings:
- MatchesQuery("") and Search("") no longer match everything
- Pull rejects URLs with "..", "//", or ":" to prevent SSRF/path traversal
- Added tests for empty query and unsafe URL edge cases

Co-Authored-By: Claude Opus 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/internal/registry/registry.go b/internal/registry/registry.go
@@ -83,6 +83,10 @@ func (r *RemoteRegistry) Search(query string) ([]IndexEntry, error) {
 		return nil, err
 	}
 
+	if query == "" {
+		return nil, nil
+	}
+
 	q := strings.ToLower(query)
 	var matches []IndexEntry
 	for _, e := range entries {
@@ -113,10 +117,12 @@ func (r *RemoteRegistry) Pull(name string, localReg *template.LocalRegistry) (*t
 		return nil, fmt.Errorf("template %q not found in registry", name)
 	}
 
-	// Only allow relative URLs to prevent SSRF via malicious index entries.
+	// Only allow safe relative URLs to prevent SSRF via malicious index entries.
 	templateURL := entry.URL
-	if strings.HasPrefix(templateURL, "http://") || strings.HasPrefix(templateURL, "https://") {
-		return nil, fmt.Errorf("template %q has absolute URL which is not allowed", name)
+	if strings.HasPrefix(templateURL, "http://") || strings.HasPrefix(templateURL, "https://") ||
+		strings.HasPrefix(templateURL, "//") || strings.Contains(templateURL, "..") ||
+		strings.Contains(templateURL, ":") {
+		return nil, fmt.Errorf("template %q has unsafe URL %q", name, templateURL)
 	}
 	templateURL = r.baseURL + "/" + strings.TrimLeft(templateURL, "/")
 
diff --git a/internal/registry/registry_test.go b/internal/registry/registry_test.go
@@ -96,6 +96,7 @@ func TestSearch(t *testing.T) {
 		{"application", 3},
 		{"react", 1},
 		{"nonexistent", 0},
+		{"", 0}, // empty query returns nothing
 	}
 
 	for _, tt := range tests {
@@ -181,6 +182,28 @@ func TestPush(t *testing.T) {
 	}
 }
 
+func TestPullUnsafeURL(t *testing.T) {
+	unsafeIndex := `templates:
+  - name: evil
+    version: "1.0.0"
+    description: Malicious template
+    url: "../../etc/passwd"
+`
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte(unsafeIndex))
+	}))
+	defer srv.Close()
+
+	dir := t.TempDir()
+	localReg := template.NewLocalRegistry(dir, nil)
+	reg := NewRemoteRegistry(srv.URL)
+
+	_, err := reg.Pull("evil", localReg)
+	if err == nil {
+		t.Fatal("expected error for unsafe URL with path traversal")
+	}
+}
+
 func TestPushNotFound(t *testing.T) {
 	dir := t.TempDir()
 	localReg := template.NewLocalRegistry(dir, nil)
diff --git a/internal/template/template.go b/internal/template/template.go
@@ -27,8 +27,11 @@ type Template struct {
 }
 
 // MatchesQuery returns true if the template's name or description
-// contains the query string (case-insensitive).
+// contains the query string (case-insensitive). Returns false for empty queries.
 func (t *Template) MatchesQuery(query string) bool {
+	if query == "" {
+		return false
+	}
 	q := strings.ToLower(query)
 	return strings.Contains(strings.ToLower(t.Name), q) ||
 		strings.Contains(strings.ToLower(t.Description), q)
diff --git a/internal/template/template_test.go b/internal/template/template_test.go
@@ -92,6 +92,7 @@ func TestMatchesQuery(t *testing.T) {
 		{"mysql", true},
 		{"nonexistent", false},
 		{"lara", true},
+		{"", false},
 	}
 
 	for _, tt := range tests {

Original file line number	Diff line number	Diff line change
`@@ -92,6 +92,7 @@ func TestMatchesQuery(t *testing.T) {`
`92`	`92`	`{"mysql", true},`
`93`	`93`	`{"nonexistent", false},`
`94`	`94`	`{"lara", true},`
	`95`	`+ {"", false},`
`95`	`96`	`}`
`96`	`97`
`97`	`98`	`for _, tt := range tests {`