fix(repo): allow rm for dotted module names with safe path checks

Author: Vonng

cli/repo/rm.go

@@ -2,15 +2,48 @@ package repo
 
 import (
 	"fmt"
+	"path/filepath"
 	"pig/internal/config"
 	"pig/internal/output"
 	"pig/internal/utils"
+	"regexp"
 	"strings"
 	"time"
 
 	"github.com/sirupsen/logrus"
 )
 
+var rmModuleNamePattern = regexp.MustCompile(`^[A-Za-z0-9._-]+$`)
+
+func resolveModulePathForRm(m *Manager, module string) (string, error) {
+	module = strings.TrimSpace(module)
+	if module == "" {
+		return "", fmt.Errorf("empty module name")
+	}
+	if strings.Contains(module, "..") || strings.Contains(module, "/") || strings.Contains(module, `\`) {
+		return "", fmt.Errorf("unsafe module name: %s", module)
+	}
+	if !rmModuleNamePattern.MatchString(module) {
+		return "", fmt.Errorf("invalid module name: %s", module)
+	}
+
+	suffix := ""
+	switch config.OSType {
+	case config.DistroEL:
+		suffix = ".repo"
+	case config.DistroDEB:
+		suffix = ".list"
+	default:
+		return "", fmt.Errorf("unsupported os type: %s", config.OSType)
+	}
+
+	filePath := filepath.Join(m.RepoDir, module+suffix)
+	if !isPathWithinBase(m.RepoDir, filePath) {
+		return "", fmt.Errorf("module path escapes repo dir")
+	}
+	return filePath, nil
+}
+
 // RmRepos removes repository modules and returns a structured Result
 // This function is used for YAML/JSON output modes
 // If modules is empty, it backs up all repositories
@@ -68,23 +101,14 @@ func RmRepos(modules []string, doUpdate bool) *output.Result {
 		if module == "" {
 			continue
 		}
-		if _, ok := manager.Module[module]; !ok {
-			data.RemovedRepos = append(data.RemovedRepos, &RemovedRepoItem{
-				Module:   module,
-				FilePath: "",
-				Success:  false,
-				Error:    fmt.Sprintf("module not found: %s", module),
-			})
-			continue
-		}
 
-		filePath := manager.getModulePath(module)
-		if filePath == "" {
+		filePath, pathErr := resolveModulePathForRm(manager, module)
+		if pathErr != nil {
 			data.RemovedRepos = append(data.RemovedRepos, &RemovedRepoItem{
 				Module:   module,
 				FilePath: "",
 				Success:  false,
-				Error:    "failed to determine module path",
+				Error:    fmt.Sprintf("failed to determine module path: %v", pathErr),
 			})
 			continue
 		}

cli/repo/rm_path_test.go

@@ -0,0 +1,41 @@
+package repo
+
+import (
+	"testing"
+
+	"pig/internal/config"
+)
+
+func TestResolveModulePathForRm_AllowsDottedModuleOnEL(t *testing.T) {
+	oldType := config.OSType
+	defer func() { config.OSType = oldType }()
+
+	config.OSType = config.DistroEL
+	m := &Manager{RepoDir: "/etc/yum.repos.d"}
+
+	path, err := resolveModulePathForRm(m, "foo.bar")
+	if err != nil {
+		t.Fatalf("resolveModulePathForRm returned error: %v", err)
+	}
+	if path != "/etc/yum.repos.d/foo.bar.repo" {
+		t.Fatalf("unexpected path: %s", path)
+	}
+}
+
+func TestResolveModulePathForRm_RejectsTraversal(t *testing.T) {
+	oldType := config.OSType
+	defer func() { config.OSType = oldType }()
+
+	config.OSType = config.DistroDEB
+	m := &Manager{RepoDir: "/etc/apt/sources.list.d"}
+
+	if _, err := resolveModulePathForRm(m, "../evil"); err == nil {
+		t.Fatalf("expected traversal module to be rejected")
+	}
+	if _, err := resolveModulePathForRm(m, `a\b`); err == nil {
+		t.Fatalf("expected backslash module to be rejected")
+	}
+	if _, err := resolveModulePathForRm(m, "a/b"); err == nil {
+		t.Fatalf("expected slash module to be rejected")
+	}
+}