Endpoint() constructor: Roundtrip the URL through URIs.resolvereference(), and make sure it is unchanged

Author: DilumAluthge

Project.toml

@@ -9,18 +9,20 @@ HTTP = "cd3eb016-35fb-5094-929b-558a96fad6f3"
 JSON3 = "0f8b85d8-7281-11e9-16c2-39a750bddbf1"
 StructTypes = "856f2bd8-1eba-4b0a-8007-ebc267875bd4"
 TimeZones = "f269a46b-ccf7-5d73-abea-4c690281aa53"
+URIs = "5c2747f8-b7ea-4ff2-ba2e-563bfd36b1d4"
 UUIDs = "cf7118a7-6976-5b1a-9a39-7adc72f591a4"
 
 [compat]
 HTTP = "0.9, 1"
 JSON3 = "1"
 StructTypes = "1"
 TimeZones = "1"
+URIs = "1.6" # Must be >= 1.6, to get https://github.com/JuliaWeb/URIs.jl/pull/66
 julia = "1.6"
 
 [extras]
-Test = "8dfed614-e22c-5e08-85e1-65c5234f0b40"
 Logging = "56ddb016-857b-54e1-b83d-db4d58db5568"
+Test = "8dfed614-e22c-5e08-85e1-65c5234f0b40"
 
 [targets]
 test = ["Test", "Logging"]

src/forge.jl

@@ -154,6 +154,33 @@ function JSON3.write(ctx::FieldContext{FORGE, T}, buf, pos, len, x::T; kw...) wh
     return buf, pos, len
 end
 
+function assert_check_endpoint_url(url::AbstractString)
+    # Do not allow path navigation in URLs
+    # Disallowed pattern: ..
+    if occursin(r"\.\.", url)
+        throw(ArgumentError("URLs cannot contain path navigation"))
+    end
+
+    # Additional disallowed patterns:
+    # ../, ..\, /.., \.., ./, .\, /./, \.\
+    PATH_TRAVERSAL = r"(?:\.{2,}[\/\\]|\.{1,}[\/\\]|[\/\\]\.{2,}|[\/\\]\.{1,}[\/\\])"
+    if occursin(PATH_TRAVERSAL, url)
+        throw(ArgumentError("URLs cannot contain path navigation"))
+    end
+
+    # do not allow new lines or carriage returns in URLs
+    if occursin(r"\s", url)
+        throw(ArgumentError("URLs cannot contain line breaks"))
+    end
+
+    # Roundtrip the URL through `URIs.resolvereference()`, and make sure it is unchanged
+    if url != URIs.resolvereference("https://example.invalid/", url).path
+        throw(ArgumentError("URLs cannot contain path navigation"))
+    end
+
+    return nothing
+end
+
 """
     Endpoint(
         method::Symbol,
@@ -187,23 +214,7 @@ struct Endpoint
         query::Dict=Dict(),
         allow_404::Bool=false,
     )
-        # Do not allow path navigation in URLs
-        # Disallowed pattern: ..
-        if occursin(r"\.\.", url)
-            throw(ArgumentError("URLs cannot contain path navigation"))
-        end
-
-        # Additional disallowed patterns:
-        # ../, ..\, /.., \.., ./, .\, /./, \.\
-        PATH_TRAVERSAL = r"(?:\.{2,}[\/\\]|\.{1,}[\/\\]|[\/\\]\.{2,}|[\/\\]\.{1,}[\/\\])"
-        if occursin(PATH_TRAVERSAL, url)
-            throw(ArgumentError("URLs cannot contain path navigation"))
-        end
-
-        # do not allow new lines or carriage returns in URLs
-        if occursin(r"\s", url)
-            throw(ArgumentError("URLs cannot contain line breaks"))
-        end
+        assert_check_endpoint_url(url)
         return new(method, url, headers, query, allow_404)
     end
 end