Skip to content

Commit a85f740

Browse files
timbastintimbastin
committed
refactores proxy, moves regex out of functions, panic if malicious package checker is nil
1 parent f7a26b7 commit a85f740

1 file changed

Lines changed: 24 additions & 2 deletions

File tree

controllers/dependency_proxy_controller.go

Lines changed: 24 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -38,6 +38,14 @@ const (
3838

3939
var depProxyTracer = otel.Tracer("devguard/dependency-proxy")
4040

41+
var (
42+
npmProxyPrefixRe = regexp.MustCompile(`^/api/v1/dependency-proxy/(?:[^/]+/)?npm(?:/|$)`)
43+
goProxyPrefixRe = regexp.MustCompile(`^/api/v1/dependency-proxy/(?:[^/]+/)?go(?:/|$)`)
44+
pypiProxyPrefixRe = regexp.MustCompile(`^/api/v1/dependency-proxy/(?:[^/]+/)?pypi(?:/|$)`)
45+
goPathRe = regexp.MustCompile(`^([^@]+)(?:@v/([^/]+))?`)
46+
pypiFilenameRe = regexp.MustCompile(`^([a-zA-Z0-9_-]+)-([0-9\.]+[a-zA-Z0-9\.]*)(?:-|\.).*$`)
47+
)
48+
4149
type ProxyType string
4250

4351
const (
@@ -64,10 +72,21 @@ type DependencyProxyController struct {
6472
client *http.Client
6573
}
6674

67-
// trimProxyPrefix strips the /api/v1/dependency-proxy/[secret/]<ecosystem> prefix from the path.
75+
// TrimProxyPrefix strips the /api/v1/dependency-proxy/[secret/]<ecosystem> prefix from the path.
6876
// The secret segment is optional to support routes with and without a secret.
6977
func TrimProxyPrefix(path string, ecosystem ProxyType) string {
70-
encodedPackage := regexp.MustCompile(`^/api/v1/dependency-proxy/(?:[^/]+/)?`+regexp.QuoteMeta(string(ecosystem))+`(?:/|$)`).ReplaceAllString(path, "")
78+
var re *regexp.Regexp
79+
switch ecosystem {
80+
case NPMProxy:
81+
re = npmProxyPrefixRe
82+
case GoProxy:
83+
re = goProxyPrefixRe
84+
case PyPIProxy:
85+
re = pypiProxyPrefixRe
86+
default:
87+
return path
88+
}
89+
encodedPackage := re.ReplaceAllString(path, "")
7190
decodedPackage, err := url.PathUnescape(encodedPackage)
7291
if err != nil {
7392
return encodedPackage
@@ -83,6 +102,9 @@ func NewDependencyProxyController(
83102
projectRepository shared.ProjectRepository,
84103
orgRepository shared.OrganizationRepository,
85104
) *DependencyProxyController {
105+
if maliciousChecker == nil {
106+
panic("maliciousChecker must not be nil: dependency proxy firewall would be silently disabled")
107+
}
86108
return &DependencyProxyController{
87109
dependencyProxyService: dependencyProxyService,
88110
maliciousChecker: maliciousChecker,

0 commit comments

Comments
 (0)