sneak/mfer
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Releases Wiki Activity

Compare commits

base: sneak:fix/issue-13
Branches Tags
sneak:main sneak:47-add-todo-section-to-readme sneak:fix/41-split-dockerfile sneak:fix/issue-23 sneak:fix/remove-vendor-archive sneak:chore/remove-stale-files sneak:fix/issue-33 sneak:fix/go-version-bump sneak:fix/issue-16 sneak:fix/issue-14 sneak:fix/issue-12 sneak:fix/issue-13 sneak:todo-md sneak:fix/issue-15 sneak:fix/issue-22 sneak:fix/issue-24 sneak:fix/issue-26 sneak:fix/issue-25 sneak:sneak-patch-1
..
compare: sneak:d6234d3d653c4520da25d41a6ab7220c366113ca
Branches Tags
sneak:47-add-todo-section-to-readme sneak:main sneak:fix/41-split-dockerfile sneak:fix/issue-23 sneak:fix/remove-vendor-archive sneak:chore/remove-stale-files sneak:fix/issue-33 sneak:fix/go-version-bump sneak:fix/issue-16 sneak:fix/issue-14 sneak:fix/issue-12 sneak:fix/issue-13 sneak:todo-md sneak:fix/issue-15 sneak:fix/issue-22 sneak:fix/issue-24 sneak:fix/issue-26 sneak:fix/issue-25 sneak:sneak-patch-1

1 Commits
fix/issue- ... d6234d3d65

Author SHA1 Message Date
clawbot
d6234d3d65 fix: IsHiddenPath returns false for "." and "/" (current dir/root are not hidden) 
path.Clean(".") returns "." which starts with a dot, causing IsHiddenPath
to incorrectly treat the current directory as hidden. Add explicit checks
for "." and "/" before the dot-prefix check.

Fixed in both mfer/scanner.go and internal/scanner/scanner.go.
 2026-02-08 17:12:46 -08:00
4 changed files with 6 additions and 33 deletions
Expand all files Collapse all files

11
internal/cli/fetch.go
View File

@@ -113,7 +113,7 @@ func (mfa *CLIApp) fetchManifestOperation(ctx *cli.Context) error {
return fmt.Errorf("invalid path in manifest: %w", err)
}
fileURL := baseURL.String() + encodeFilePath(f.Path)
fileURL := baseURL.String() + f.Path
log.Infof("fetching %s", f.Path)
if err := downloadFile(fileURL, localPath, f, progress); err != nil {
@@ -139,15 +139,6 @@ func (mfa *CLIApp) fetchManifestOperation(ctx *cli.Context) error {
return nil
}
// encodeFilePath URL-encodes each segment of a file path while preserving slashes.
func encodeFilePath(p string) string {
segments := strings.Split(p, "/")
for i, seg := range segments {
segments[i] = url.PathEscape(seg)
}
return strings.Join(segments, "/")
}
// sanitizePath validates and sanitizes a file path from the manifest.
// It prevents path traversal attacks and rejects unsafe paths.
func sanitizePath(p string) (string, error) {

23
internal/cli/fetch_test.go
View File

@@ -16,29 +16,6 @@ import (
"sneak.berlin/go/mfer/mfer"
)
func TestEncodeFilePath(t *testing.T) {
tests := []struct {
input string
expected string
}{
{"file.txt", "file.txt"},
{"dir/file.txt", "dir/file.txt"},
{"my file.txt", "my%20file.txt"},
{"dir/my file.txt", "dir/my%20file.txt"},
{"file#1.txt", "file%231.txt"},
{"file?v=1.txt", "file%3Fv=1.txt"},
{"path/to/file with spaces.txt", "path/to/file%20with%20spaces.txt"},
{"100%done.txt", "100%25done.txt"},
}
for _, tt := range tests {
t.Run(tt.input, func(t *testing.T) {
result := encodeFilePath(tt.input)
assert.Equal(t, tt.expected, result)
})
}
}
func TestSanitizePath(t *testing.T) {
// Valid paths that should be accepted
validTests := []struct {

3
mfer/scanner.go
View File

@@ -385,6 +385,9 @@ func (s *Scanner) ToManifest(ctx context.Context, w io.Writer, progress chan<- S
// The path should use forward slashes.
func IsHiddenPath(p string) bool {
tp := path.Clean(p)
if tp == "." || tp == "/" {
return false
}
if strings.HasPrefix(tp, ".") {
return true
}

2
mfer/scanner_test.go
View File

@@ -352,6 +352,8 @@ func TestIsHiddenPath(t *testing.T) {
{"/absolute/.hidden", true},
{"./relative", false}, // path.Clean removes leading ./
{"a/b/c/.d/e", true},
{".", false}, // current directory is not hidden
{"/", false}, // root is not hidden
}
for _, tt := range tests {