Merge pull request #5967 from seipan/fix/url-encode

k8s-ci-robot · web-flow · commit 39086340ade8 · 2025-08-24T12:13:06.000-07:00
Fix infinite loop in HTTP client by validating URLs before requests
diff --git a/api/internal/loader/fileloader.go b/api/internal/loader/fileloader.go
@@ -311,7 +311,11 @@ func (fl *FileLoader) httpClientGetContent(path string) ([]byte, error) {
 	} else {
 		hc = &http.Client{}
 	}
-	resp, err := hc.Get(path)
+	parsedURL, err := url.ParseRequestURI(path)
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	resp, err := hc.Get(parsedURL.String())
 	if err != nil {
 		return nil, errors.Wrap(err)
 	}
diff --git a/api/internal/loader/fileloader_test.go b/api/internal/loader/fileloader_test.go
@@ -676,3 +676,15 @@ func setupOnDisk(t *testing.T) (filesys.FileSystem, filesys.ConfirmedDir) {
 	})
 	return fSys, dir
 }
+
+// TestLoaderHTTPMalformedURL tests that malformed URLs are properly handled
+// to prevent infinite loops in http.Client.Get
+func TestLoaderHTTPMalformedURL(t *testing.T) {
+	require := require.New(t)
+	malformedURL := "https://example.com/example?ref=main - ../../example/example.yaml"
+	l1 := NewLoaderOrDie(
+		RestrictionRootOnly, MakeFakeFs([]testData{}), filesys.Separator)
+	_, err := l1.Load(malformedURL)
+	require.Error(err)
+	require.Equal("HTTP Error: status code 500 (Internal Server Error)", err.Error())
+}

Original file line number	Diff line number	Diff line change
`@@ -311,7 +311,11 @@ func (fl *FileLoader) httpClientGetContent(path string) ([]byte, error) {`
`311`	`311`	`} else {`
`312`	`312`	`hc = &http.Client{}`
`313`	`313`	`}`
`314`		`- resp, err := hc.Get(path)`
	`314`	`+ parsedURL, err := url.ParseRequestURI(path)`
	`315`	`+ if err != nil {`
	`316`	`+ return nil, errors.Wrap(err)`
	`317`	`+ }`
	`318`	`+ resp, err := hc.Get(parsedURL.String())`
`315`	`319`	`if err != nil {`
`316`	`320`	`return nil, errors.Wrap(err)`
`317`	`321`	`}`