fix: Ensure that all API endpoint URLs are constructed safely.

fastly · Sep 6, 2024 · 5705630 · 5705630
1 parent 81f6471
commit 5705630
Show file tree

Hide file tree

Showing 16 changed files with 139 additions and 76 deletions.
diff --git a/fastly/account_events.go b/fastly/account_events.go
@@ -95,7 +95,8 @@ func (c *Client) GetAPIEvent(i *GetAPIEventInput) (*Event, error) {
 		return nil, ErrMissingEventID
 	}
 
-	path := fmt.Sprintf("/events/%s", i.EventID)
+	path := ToSafeURL("events", i.EventID)
+
 	resp, err := c.Get(path, nil)
 	if err != nil {
 		return nil, err

diff --git a/fastly/acl.go b/fastly/acl.go
@@ -2,7 +2,7 @@ package fastly
 
 import (
 	"fmt"
-	"net/url"
+	"strconv"
 	"time"
 )
 
@@ -34,7 +34,8 @@ func (c *Client) ListACLs(i *ListACLsInput) ([]*ACL, error) {
 		return nil, ErrMissingServiceVersion
 	}
 
-	path := fmt.Sprintf("/service/%s/version/%d/acl", i.ServiceID, i.ServiceVersion)
+	path := ToSafeURL("service", i.ServiceID, "version", strconv.Itoa(i.ServiceVersion), "acl")
+
 	resp, err := c.Get(path, nil)
 	if err != nil {
 		return nil, err
@@ -67,7 +68,8 @@ func (c *Client) CreateACL(i *CreateACLInput) (*ACL, error) {
 		return nil, ErrMissingServiceVersion
 	}
 
-	path := fmt.Sprintf("/service/%s/version/%d/acl", i.ServiceID, i.ServiceVersion)
+	path := ToSafeURL("service", i.ServiceID, "version", strconv.Itoa(i.ServiceVersion), "acl")
+
 	resp, err := c.PostForm(path, i, nil)
 	if err != nil {
 		return nil, err
@@ -103,7 +105,8 @@ func (c *Client) DeleteACL(i *DeleteACLInput) error {
 		return ErrMissingServiceVersion
 	}
 
-	path := fmt.Sprintf("/service/%s/version/%d/acl/%s", i.ServiceID, i.ServiceVersion, url.PathEscape(i.Name))
+	path := ToSafeURL("service", i.ServiceID, "version", strconv.Itoa(i.ServiceVersion), "acl", i.Name)
+
 	resp, err := c.Delete(path, nil)
 	if err != nil {
 		return err
@@ -142,7 +145,8 @@ func (c *Client) GetACL(i *GetACLInput) (*ACL, error) {
 		return nil, ErrMissingServiceVersion
 	}
 
-	path := fmt.Sprintf("/service/%s/version/%d/acl/%s", i.ServiceID, i.ServiceVersion, url.PathEscape(i.Name))
+	path := ToSafeURL("service", i.ServiceID, "version", strconv.Itoa(i.ServiceVersion), "acl", i.Name)
+
 	resp, err := c.Get(path, nil)
 	if err != nil {
 		return nil, err
@@ -180,7 +184,8 @@ func (c *Client) UpdateACL(i *UpdateACLInput) (*ACL, error) {
 		return nil, ErrMissingServiceVersion
 	}
 
-	path := fmt.Sprintf("/service/%s/version/%d/acl/%s", i.ServiceID, i.ServiceVersion, url.PathEscape(i.Name))
+	path := ToSafeURL("service", i.ServiceID, "version", strconv.Itoa(i.ServiceVersion), "acl", i.Name)
+
 	resp, err := c.PutForm(path, i, nil)
 	if err != nil {
 		return nil, err

diff --git a/fastly/acl_entry.go b/fastly/acl_entry.go
@@ -19,8 +19,6 @@ type ACLEntry struct {
 	UpdatedAt *time.Time `mapstructure:"updated_at"`
 }
 
-const aclEntriesPath = "/service/%s/acl/%s/entries"
-
 // GetACLEntriesInput is the input parameter to GetACLEntries function.
 type GetACLEntriesInput struct {
 	// ACLID is an alphanumeric string identifying a ACL (required).
@@ -52,7 +50,7 @@ func (c *Client) GetACLEntries(i *GetACLEntriesInput) *ListPaginator[ACLEntry] {
 	if i.PerPage != nil {
 		input.PerPage = *i.PerPage
 	}
-	path := fmt.Sprintf(aclEntriesPath, i.ServiceID, i.ACLID)
+	path := ToSafeURL("service", i.ServiceID, "acl", i.ACLID, "entries")
 	return NewPaginator[ACLEntry](c, input, path)
 }
 
@@ -115,7 +113,7 @@ func (c *Client) GetACLEntry(i *GetACLEntryInput) (*ACLEntry, error) {
 		return nil, ErrMissingServiceID
 	}
 
-	path := fmt.Sprintf("/service/%s/acl/%s/entry/%s", i.ServiceID, i.ACLID, i.EntryID)
+	path := ToSafeURL("service", i.ServiceID, "acl", i.ACLID, "entry", i.EntryID)
 
 	resp, err := c.Get(path, nil)
 	if err != nil {
@@ -194,7 +192,7 @@ func (c *Client) DeleteACLEntry(i *DeleteACLEntryInput) error {
 		return ErrMissingServiceID
 	}
 
-	path := fmt.Sprintf("/service/%s/acl/%s/entry/%s", i.ServiceID, i.ACLID, i.EntryID)
+	path := ToSafeURL("service", i.ServiceID, "acl", i.ACLID, "entry", i.EntryID)
 
 	resp, err := c.Delete(path, nil)
 	if err != nil {
@@ -244,7 +242,7 @@ func (c *Client) UpdateACLEntry(i *UpdateACLEntryInput) (*ACLEntry, error) {
 		return nil, ErrMissingServiceID
 	}
 
-	path := fmt.Sprintf("/service/%s/acl/%s/entry/%s", i.ServiceID, i.ACLID, i.EntryID)
+	path := ToSafeURL("service", i.ServiceID, "acl", i.ACLID, "entry", i.EntryID)
 
 	resp, err := c.RequestForm("PATCH", path, i, nil)
 	if err != nil {
@@ -299,7 +297,8 @@ func (c *Client) BatchModifyACLEntries(i *BatchModifyACLEntriesInput) error {
 		return ErrMaxExceededEntries
 	}
 
-	path := fmt.Sprintf(aclEntriesPath, i.ServiceID, i.ACLID)
+	path := ToSafeURL("service", i.ServiceID, "acl", i.ACLID, "entries")
+
 	resp, err := c.PatchJSON(path, i, nil)
 	if err != nil {
 		return err

diff --git a/fastly/alerts.go b/fastly/alerts.go
@@ -2,7 +2,6 @@ package fastly
 
 import (
 	"encoding/json"
-	"fmt"
 	"net/http"
 	"strconv"
 	"time"
@@ -151,7 +150,8 @@ func (c *Client) GetAlertDefinition(i *GetAlertDefinitionInput) (*AlertDefinitio
 		return nil, ErrMissingID
 	}
 
-	path := fmt.Sprintf("/alerts/definitions/%s", *i.ID)
+	path := ToSafeURL("alerts", "definitions", *i.ID)
+
 	resp, err := c.Get(path, nil)
 	if err != nil {
 		return nil, err
@@ -190,7 +190,8 @@ func (c *Client) UpdateAlertDefinition(i *UpdateAlertDefinitionInput) (*AlertDef
 		return nil, ErrMissingID
 	}
 
-	path := fmt.Sprintf("/alerts/definitions/%s", *i.ID)
+	path := ToSafeURL("alerts", "definitions", *i.ID)
+
 	resp, err := c.PutJSON(path, i, nil)
 	if err != nil {
 		return nil, err
@@ -216,7 +217,8 @@ func (c *Client) DeleteAlertDefinition(i *DeleteAlertDefinitionInput) error {
 		return ErrMissingID
 	}
 
-	path := fmt.Sprintf("/alerts/definitions/%s", *i.ID)
+	path := ToSafeURL("alerts", "definitions", *i.ID)
+
 	resp, err := c.Delete(path, nil)
 	if err != nil {
 		return err

diff --git a/fastly/backend.go b/fastly/backend.go
@@ -2,7 +2,7 @@ package fastly
 
 import (
 	"fmt"
-	"net/url"
+	"strconv"
 	"time"
 )
 
@@ -64,7 +64,8 @@ func (c *Client) ListBackends(i *ListBackendsInput) ([]*Backend, error) {
 		return nil, ErrMissingServiceVersion
 	}
 
-	path := fmt.Sprintf("/service/%s/version/%d/backend", i.ServiceID, i.ServiceVersion)
+	path := ToSafeURL("service", i.ServiceID, "version", strconv.Itoa(i.ServiceVersion), "backend")
+
 	resp, err := c.Get(path, nil)
 	if err != nil {
 		return nil, err
@@ -157,7 +158,8 @@ func (c *Client) CreateBackend(i *CreateBackendInput) (*Backend, error) {
 		return nil, ErrMissingServiceVersion
 	}
 
-	path := fmt.Sprintf("/service/%s/version/%d/backend", i.ServiceID, i.ServiceVersion)
+	path := ToSafeURL("service", i.ServiceID, "version", strconv.Itoa(i.ServiceVersion), "backend")
+
 	resp, err := c.PostForm(path, i, nil)
 	if err != nil {
 		return nil, err
@@ -193,7 +195,8 @@ func (c *Client) GetBackend(i *GetBackendInput) (*Backend, error) {
 		return nil, ErrMissingServiceVersion
 	}
 
-	path := fmt.Sprintf("/service/%s/version/%d/backend/%s", i.ServiceID, i.ServiceVersion, url.PathEscape(i.Name))
+	path := ToSafeURL("service", i.ServiceID, "version", strconv.Itoa(i.ServiceVersion), "backend", i.Name)
+
 	resp, err := c.Get(path, nil)
 	if err != nil {
 		return nil, err
@@ -291,7 +294,8 @@ func (c *Client) UpdateBackend(i *UpdateBackendInput) (*Backend, error) {
 		return nil, ErrMissingServiceVersion
 	}
 
-	path := fmt.Sprintf("/service/%s/version/%d/backend/%s", i.ServiceID, i.ServiceVersion, url.PathEscape(i.Name))
+	path := ToSafeURL("service", i.ServiceID, "version", strconv.Itoa(i.ServiceVersion), "backend", i.Name)
+
 	resp, err := c.PutForm(path, i, nil)
 	if err != nil {
 		return nil, err
@@ -327,7 +331,8 @@ func (c *Client) DeleteBackend(i *DeleteBackendInput) error {
 		return ErrMissingServiceVersion
 	}
 
-	path := fmt.Sprintf("/service/%s/version/%d/backend/%s", i.ServiceID, i.ServiceVersion, url.PathEscape(i.Name))
+	path := ToSafeURL("service", i.ServiceID, "version", strconv.Itoa(i.ServiceVersion), "backend", i.Name)
+
 	resp, err := c.Delete(path, nil)
 	if err != nil {
 		return err

diff --git a/fastly/billing.go b/fastly/billing.go
@@ -2,6 +2,7 @@ package fastly
 
 import (
 	"fmt"
+	"strconv"
 	"time"
 )
 
@@ -68,7 +69,8 @@ func (c *Client) GetBilling(i *GetBillingInput) (*Billing, error) {
 		return nil, ErrMissingMonth
 	}
 
-	path := fmt.Sprintf("/billing/year/%d/month/%02d", i.Year, i.Month)
+	path := ToSafeURL("billing", "year", strconv.Itoa(int(i.Year)), "month", fmt.Sprintf("%02d", i.Month))
+
 	resp, err := c.Get(path, nil)
 	if err != nil {
 		return nil, err

diff --git a/fastly/compute_package.go b/fastly/compute_package.go
@@ -3,8 +3,8 @@ package fastly
 import (
 	"bytes"
 	"errors"
-	"fmt"
 	"io"
+	"strconv"
 	"time"
 )
 
@@ -107,7 +107,7 @@ func MakePackagePath(serviceID string, serviceVersion int) (string, error) {
 	if serviceVersion == 0 {
 		return "", ErrMissingServiceVersion
 	}
-	return fmt.Sprintf("/service/%s/version/%d/package", serviceID, serviceVersion), nil
+	return ToSafeURL("service", serviceID, "version", strconv.Itoa(serviceVersion), "package"), nil
 }
 
 // PopulatePackage encapsulates the decoding of returned package data.

diff --git a/fastly/config_store.go b/fastly/config_store.go
@@ -2,7 +2,6 @@ package fastly
 
 import (
 	"encoding/json"
-	"fmt"
 	"sort"
 	"time"
 )
@@ -68,7 +67,8 @@ func (c *Client) DeleteConfigStore(i *DeleteConfigStoreInput) error {
 		return ErrMissingStoreID
 	}
 
-	path := fmt.Sprintf("/resources/stores/config/%s", i.StoreID)
+	path := ToSafeURL("resources", "stores", "config", i.StoreID)
+
 	resp, err := c.Delete(path, &RequestOptions{
 		Headers: map[string]string{
 			"Accept": "application/json",
@@ -97,7 +97,8 @@ func (c *Client) GetConfigStore(i *GetConfigStoreInput) (*ConfigStore, error) {
 		return nil, ErrMissingStoreID
 	}
 
-	path := fmt.Sprintf("/resources/stores/config/%s", i.StoreID)
+	path := ToSafeURL("resources", "stores", "config", i.StoreID)
+
 	resp, err := c.Get(path, &RequestOptions{
 		Headers: map[string]string{
 			"Accept": "application/json",
@@ -129,7 +130,8 @@ func (c *Client) GetConfigStoreMetadata(i *GetConfigStoreMetadataInput) (*Config
 		return nil, ErrMissingStoreID
 	}
 
-	path := fmt.Sprintf("/resources/stores/config/%s/info", i.StoreID)
+	path := ToSafeURL("resources", "stores", "config", i.StoreID, "info")
+
 	resp, err := c.Get(path, &RequestOptions{
 		Headers: map[string]string{
 			"Accept": "application/json",
@@ -200,7 +202,8 @@ func (c *Client) ListConfigStoreServices(i *ListConfigStoreServicesInput) ([]*Se
 		return nil, ErrMissingStoreID
 	}
 
-	path := fmt.Sprintf("/resources/stores/config/%s/services", i.StoreID)
+	path := ToSafeURL("resources", "stores", "config", i.StoreID, "services")
+
 	resp, err := c.Get(path, &RequestOptions{
 		Headers: map[string]string{
 			"Accept": "application/json",
@@ -235,7 +238,8 @@ func (c *Client) UpdateConfigStore(i *UpdateConfigStoreInput) (*ConfigStore, err
 		return nil, ErrMissingStoreID
 	}
 
-	path := fmt.Sprintf("/resources/stores/config/%s", i.StoreID)
+	path := ToSafeURL("resources", "stores", "config", i.StoreID)
+
 	resp, err := c.PutForm(path, i, &RequestOptions{
 		Headers: map[string]string{
 			// PutForm adds the appropriate Content-Type header.

diff --git a/fastly/config_store_item.go b/fastly/config_store_item.go
@@ -2,9 +2,7 @@ package fastly
 
 import (
 	"encoding/json"
-	"fmt"
 	"net/http"
-	"net/url"
 	"sort"
 	"time"
 )
@@ -38,7 +36,8 @@ func (c *Client) CreateConfigStoreItem(i *CreateConfigStoreItemInput) (*ConfigSt
 		return nil, ErrMissingStoreID
 	}
 
-	path := fmt.Sprintf("/resources/stores/config/%s/item", i.StoreID)
+	path := ToSafeURL("resources", "stores", "config", i.StoreID, "item")
+
 	resp, err := c.PostForm(path, i, &RequestOptions{
 		Headers: map[string]string{
 			// PostForm adds the appropriate Content-Type header.
@@ -76,7 +75,8 @@ func (c *Client) DeleteConfigStoreItem(i *DeleteConfigStoreItemInput) error {
 		return ErrMissingKey
 	}
 
-	path := fmt.Sprintf("/resources/stores/config/%s/item/%s", i.StoreID, url.PathEscape(i.Key))
+	path := ToSafeURL("resources", "stores", "config", i.StoreID, "item", i.Key)
+
 	resp, err := c.Delete(path, &RequestOptions{
 		Headers: map[string]string{
 			"Accept": "application/json",
@@ -110,7 +110,8 @@ func (c *Client) GetConfigStoreItem(i *GetConfigStoreItemInput) (*ConfigStoreIte
 		return nil, ErrMissingKey
 	}
 
-	path := fmt.Sprintf("/resources/stores/config/%s/item/%s", i.StoreID, url.PathEscape(i.Key))
+	path := ToSafeURL("resources", "stores", "config", i.StoreID, "item", i.Key)
+
 	resp, err := c.Get(path, &RequestOptions{
 		Headers: map[string]string{
 			"Accept": "application/json",
@@ -142,7 +143,8 @@ func (c *Client) ListConfigStoreItems(i *ListConfigStoreItemsInput) ([]*ConfigSt
 		return nil, ErrMissingStoreID
 	}
 
-	path := fmt.Sprintf("/resources/stores/config/%s/items", i.StoreID)
+	path := ToSafeURL("resources", "stores", "config", i.StoreID, "items")
+
 	resp, err := c.Get(path, nil)
 	if err != nil {
 		return nil, err
@@ -181,7 +183,7 @@ func (c *Client) UpdateConfigStoreItem(i *UpdateConfigStoreItemInput) (*ConfigSt
 		return nil, ErrMissingKey
 	}
 
-	path := fmt.Sprintf("/resources/stores/config/%s/item/%s", i.StoreID, url.PathEscape(i.Key))
+	path := ToSafeURL("resources", "stores", "config", i.StoreID, "item", i.Key)
 
 	var httpMethod string
 	if i.Upsert {
@@ -240,7 +242,8 @@ func (c *Client) BatchModifyConfigStoreItems(i *BatchModifyConfigStoreItemsInput
 		return ErrMaxExceededItems
 	}
 
-	path := fmt.Sprintf("/resources/stores/config/%s/items", i.StoreID)
+	path := ToSafeURL("resources", "stores", "config", i.StoreID, "items")
+
 	resp, err := c.PatchJSON(path, i, nil)
 	if err != nil {
 		return err