Be more strict when parsing URLs (#617)

* be more strict when parsing URLs * [autofix.ci] apply automated fixes * tests++ --------- Co-authored-by: autofix-ci[bot] <114827586+autofix-ci[bot]@users.noreply.github.com>
mitmproxy · Sep 6, 2023 · 1062e18 · 1062e18
1 parent 43646e6
commit 1062e18
Show file tree

Hide file tree

Showing 3 changed files with 16 additions and 1 deletion.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,8 @@
    ([#619](https://github.com/mitmproxy/pdoc/pull/619), @mhils)
  - Fix horizontal scroll navigation z-index issue.
    ([#616](https://github.com/mitmproxy/pdoc/pull/616), @Domi04151309)
+ - Be more strict about parsing URLs in pdoc's web server.
+   ([#617](https://github.com/mitmproxy/pdoc/pull/617), @mhils)
 
 ## 2023-06-19: pdoc 14.0.0
 

diff --git a/pdoc/web.py b/pdoc/web.py
@@ -40,7 +40,7 @@ def do_GET(self):
         except ConnectionError:  # pragma: no cover
             pass
 
-    def handle_request(self) -> str | None:
+    def handle_request(self) -> str:
         """Actually handle a request. Called by `do_HEAD` and `do_GET`."""
         path = self.path.split("?", 1)[0]
 
@@ -51,6 +51,13 @@ def handle_request(self) -> str | None:
             self.send_header("content-type", "application/javascript")
             self.end_headers()
             return self.server.render_search_index()
+        elif "." in removesuffix(path, ".html"):
+            # See https://github.com/mitmproxy/pdoc/issues/615: All module separators should be normalized to "/".
+            # We could redirect here, but that would create the impression of a working link, which will fall apart
+            # when pdoc prerenders to static HTML. So we rather fail early.
+            self.send_response(404)
+            self.end_headers()
+            return "Not Found: Please normalize all module separators to '/'."
         else:
             module_name = removesuffix(path.lstrip("/"), ".html").replace("/", ".")
             if module_name not in self.server.all_modules:

diff --git a/test/test_web.py b/test/test_web.py
@@ -91,3 +91,9 @@ def test_get_module_mtime():
 
 def test_get_unknown():
     assert b"404 Not Found" in handle_request(b"GET /unknown HTTP/1.1\r\n\r\n")
+
+
+def test_get_not_normalized():
+    assert b"Not Found: Please normalize all module separators" in handle_request(
+        b"GET /module.submodule HTTP/1.1\r\n\r\n"
+    )