Issue Description
BuildLookasideURL constructs lookaside URLs by performing raw string substitution for $pkg, $filename, $hashtype, and $hash without URL-encoding substituted values.
If packageName or fileName contains reserved URL characters such as /, ?, #, or malformed % escapes, the generated URL can change meaning or become invalid.
This is a shared helper issue. The newer download-sources flow increases its reachability because it accepts filenames from Fedora-style sources files and feeds them into this path.
Impact
- Generated lookaside URLs can point at the wrong resource.
- Malformed URLs may fail only later when an HTTP request is created.
- Logged URLs may look plausible while the parsed request semantics differ.
This is primarily a correctness and robustness issue with some security relevance. It does not appear to be straightforward arbitrary-host SSRF because the host still comes from distro configuration, and hash verification limits silent content substitution after download.
Root cause
BuildLookasideURL treats placeholder values as plain strings instead of URL path components.
That means inserted values can change URL structure:
/ creates extra path segments? starts a query string# starts a fragment- malformed
% sequences can make request creation fail
Reachability
The issue is reachable through multiple paths:
- normal lookaside downloads via the source manager
- dist-git URL construction that also performs raw
$pkg substitution
Example
Given a template such as:
https://example.com/lookaside/$pkg/$filename/$hashtype/$hash/$filename
These inputs are problematic:
filename = "foo/bar"
filename = "file?x=1"
filename = "file#frag"
filename = "file%zz"
packageName = "foo/bar"
packageName = "foo#bar"
Today those values are inserted directly into the template instead of being treated as URL-safe path values.
Recommended fix
- URL-escape placeholder values intended for path positions, for example with
url.PathEscape().
- Parse and validate the final URL before returning it so malformed escapes and other structural issues fail early.
- Apply the same fix to dist-git URL construction, which currently has the same raw-substitution problem for
$pkg.
- If any placeholders are not always used in path positions, explicitly validate and reject unsafe values rather than relying on raw replacement.
Suggested tests
Add coverage for BuildLookasideURL and equivalent dist-git URL builders for:
filename = "foo/bar"filename = "file?x=1"filename = "file#frag"filename = "file%zz"- equivalent cases for
packageName
Expected results should verify either correctly escaped URLs or explicit validation errors.
Affected areas
internal/providers/sourceproviders/fedorasource/fedorasource.gointernal/providers/sourceproviders/sourcemanager.gointernal/providers/sourceproviders/fedorasourceprovider.gointernal/app/azldev/cmds/downloadsources/downloadsources.go
Expected Changes
Review findings and make a fix.
Additional Context
No response
Issue Description
BuildLookasideURLconstructs lookaside URLs by performing raw string substitution for$pkg,$filename,$hashtype, and$hashwithout URL-encoding substituted values.If
packageNameorfileNamecontains reserved URL characters such as/,?,#, or malformed%escapes, the generated URL can change meaning or become invalid.This is a shared helper issue. The newer
download-sourcesflow increases its reachability because it accepts filenames from Fedora-stylesourcesfiles and feeds them into this path.Impact
This is primarily a correctness and robustness issue with some security relevance. It does not appear to be straightforward arbitrary-host SSRF because the host still comes from distro configuration, and hash verification limits silent content substitution after download.
Root cause
BuildLookasideURLtreats placeholder values as plain strings instead of URL path components.That means inserted values can change URL structure:
/creates extra path segments?starts a query string#starts a fragment%sequences can make request creation failReachability
The issue is reachable through multiple paths:
$pkgsubstitutionExample
Given a template such as:
These inputs are problematic:
Today those values are inserted directly into the template instead of being treated as URL-safe path values.
Recommended fix
url.PathEscape().$pkg.Suggested tests
Add coverage for
BuildLookasideURLand equivalent dist-git URL builders for:filename = "foo/bar"filename = "file?x=1"filename = "file#frag"filename = "file%zz"packageNameExpected results should verify either correctly escaped URLs or explicit validation errors.
Affected areas
internal/providers/sourceproviders/fedorasource/fedorasource.gointernal/providers/sourceproviders/sourcemanager.gointernal/providers/sourceproviders/fedorasourceprovider.gointernal/app/azldev/cmds/downloadsources/downloadsources.goExpected Changes
Review findings and make a fix.
Additional Context
No response