[pkgsite] internal/api: strictly validate module paths in ServeModule
1 view
Skip to first unread message
Ethan Lee (Gerrit)
May 18, 2026, 6:04:38 PM (14 hours ago) May 18
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Ethan Lee has uploaded the change for review![]( "Open in Gerrit")
Commit message
internal/api: strictly validate module paths in ServeModule
Ensure that the resolved module path exactly matches the requested URL
path in ServeModule. If a package path (e.g. golang.org/x/sync/errgroup)
is passed instead of a module path, the API will now return a descriptive
HTTP 400 BadRequest error advising the client of the correct module
path, rather than silently resolving and returning the containing module's
metadata.
Change-Id: Icfcdedd057b93b592c8a611dae907cd6efb2d22a
Change diff
diff --git a/internal/api/api.go b/internal/api/api.go
index 4fc8658..3583dab 100644
--- a/internal/api/api.go
+++ b/internal/api/api.go
@@ -137,6 +137,14 @@
return err
}
+ if um.ModulePath != modulePath {
+ return &Error{
+ Code: http.StatusBadRequest,
+ Message: fmt.Sprintf("%s is a package, not a module", modulePath),
+ Fixes: []string{fmt.Sprintf("retry the call with the containing module: %q", um.ModulePath)},
+ }
+ }
+
// api:response Module
resp := Module{
Path: um.ModulePath,
diff --git a/internal/tests/api/api_test.go b/internal/tests/api/api_test.go
index 2b02e7e..627d1f2 100644
--- a/internal/tests/api/api_test.go
+++ b/internal/tests/api/api_test.go
@@ -540,7 +540,7 @@
u := unit("")
u.Readme = &internal.Readme{Filepath: "README.md", Contents: "Hello world"}
- ds.MustInsertModule(t, module(t, mi1, u))
+ ds.MustInsertModule(t, module(t, mi1, u, unit("pkg")))
mi2 := modinfo(modulePath, "v1.2.4")
mi2.HasGoMod = true
@@ -598,6 +598,15 @@
want: &api.Error{Code: 404, Message: "not found"},
},
{
+ name: "package path in module endpoint",
+ url: "/v1beta/module/example.com/pkg?version=v1.2.3",
+ wantStatus: http.StatusBadRequest,
+ want: &api.Error{
+ Code: http.StatusBadRequest,
+ Message: "example.com/pkg is a package, not a module",
+ },
+ },
+ {
name: "missing module path",
url: "/v1beta/module/",
wantStatus: http.StatusBadRequest,
Change information
Files:
- M internal/api/api.go
- M internal/tests/api/api_test.go
Change size: S
Delta: 2 files changed, 18 insertions(+), 1 deletion(-)
Related details
Attention set is empty
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
kokoro-CI-Passes
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ethan Lee (Gerrit)
May 18, 2026, 11:30:27 PM (9 hours ago) May 18
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Ethan Lee
Ethan Lee uploaded new patchset![]( "Open in Gerrit")
Ethan Lee uploaded patch set #2 to this change.
Following approvals got outdated and were removed:
- TryBots-Pass: LUCI-TryBot-Result-1 by golang...@luci-project-accounts.iam.gserviceaccount.com
Related details
Attention is currently required from:
- Ethan Lee
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
kokoro-CI-Passes
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ethan Lee (Gerrit)
May 18, 2026, 11:32:01 PM (9 hours ago) May 18
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Ethan Lee
Ethan Lee uploaded new patchset![]( "Open in Gerrit")
Ethan Lee uploaded patch set #3 to this change.
Related details
Attention is currently required from:
- Ethan Lee
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
kokoro-CI-Passes
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ethan Lee (Gerrit)
May 18, 2026, 11:35:21 PM (9 hours ago) May 18
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Ethan Lee
Ethan Lee uploaded new patchset![]( "Open in Gerrit")
Ethan Lee uploaded patch set #4 to this change.
Following approvals got outdated and were removed:
- TryBots-Pass: LUCI-TryBot-Result-1 by golang...@luci-project-accounts.iam.gserviceaccount.com
Related details
Attention is currently required from:
- Ethan Lee
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
kokoro-CI-Passes
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Ethan Lee (Gerrit)
May 18, 2026, 11:43:48 PM (8 hours ago) May 18
to goph...@pubsubhelper.golang.org, golang-co...@googlegroups.com
Attention needed from Ethan Lee
Ethan Lee uploaded new patchset![]( "Open in Gerrit")
Ethan Lee uploaded patch set #5 to this change.
Following approvals got outdated and were removed:
- TryBots-Pass: LUCI-TryBot-Result-1 by golang...@luci-project-accounts.iam.gserviceaccount.com
Related details
Attention is currently required from:
- Ethan Lee
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
kokoro-CI-Passes
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
kokoro (Gerrit)
12:14 AM (8 hours ago) 12:14 AM
to Ethan Lee, goph...@pubsubhelper.golang.org, Jonathan Amsterdam, Hyang-Ah Hana Kim, golang...@luci-project-accounts.iam.gserviceaccount.com, golang-co...@googlegroups.com
Attention needed from Hyang-Ah Hana Kim and Jonathan Amsterdam
kokoro voted kokoro-CI+1![]( "Open in Gerrit")
Kokoro presubmit build finished with status: SUCCESS
Logs at: https://source.cloud.google.com/results/invocations/be397def-0f2e-4355-ae29-fdd481997d8a
| kokoro-CI | +1 |
Related details
Attention is currently required from:
- Hyang-Ah Hana Kim
- Jonathan Amsterdam
Submit Requirements:
Code-Review
No-Unresolved-Comments
Review-Enforcement
TryBots-Pass
kokoro-CI-Passes
| Inspect html for hidden footers to help with email filtering. To unsubscribe visit settings. |
Reply all
Reply to author
Forward
0 new messages