Handle percent encoding.

Author: RubenVerborgh

lib/resource-mapper.js

@@ -26,26 +26,27 @@ class ResourceMapper {
 
   // Maps the request for a given resource and representation format to a server file
   async mapUrlToFile ({ url, contentType, createIfNotExists }) {
-    // Split the URL into components
+    // Determine the full URL
     const { pathname, hostname } = typeof url === 'string' ? URL.parse(url) : url
-    if (pathname.indexOf('/..') >= 0) {
+    const fullPath = decodeURIComponent(`${this.getBasePath(hostname)}${pathname}`)
+    if (fullPath.indexOf('/..') >= 0) {
       throw new Error('Disallowed /.. segment in URL')
     }
 
+    // Determine the path and content type
     let path
-    const basePath = this.getBasePath(hostname)
-    // Create the path for a new file
     if (createIfNotExists) {
-      path = `${basePath}${pathname}`
+      // Create the path for a new file
+      path = fullPath
       // If the extension is not correct for the content type, append the correct extension
-      if (getContentType(pathname) !== contentType) {
+      if (getContentType(path) !== contentType) {
         path += contentType in extensions ? `$.${extensions[contentType][0]}` : '$.unknown'
       }
     // Determine the path of an existing file
     } else {
       // Read all files in the corresponding folder
-      const filename = pathname.substr(pathname.lastIndexOf('/') + 1)
-      const folder = `${basePath}${pathname.substr(0, pathname.length - filename.length)}`
+      const filename = fullPath.substr(fullPath.lastIndexOf('/') + 1)
+      const folder = fullPath.substr(0, fullPath.length - filename.length)
       const files = await this._readdir(folder)
 
       // Find a file with the same name (minus the dollar extension)
@@ -64,7 +65,7 @@ class ResourceMapper {
   async mapFileToUrl ({ path, hostname }) {
     // Determine the URL by chopping off everything after the dollar sign
     const pathname = removeDollarExtension(path.substring(this._rootPath.length))
-    const url = `${this.getBaseUrl(hostname)}${pathname}`
+    const url = `${this.getBaseUrl(hostname)}${encodeURI(pathname)}`
     return { url, contentType: getContentType(path) }
   }
 

test/unit/resource-mapper-test.js

@@ -164,6 +164,29 @@ describe('ResourceMapper', () => {
         contentType: 'text/html'
       })
 
+    itMapsUrl(mapper, 'a URL of an existing file with encoded characters',
+      {
+        url: 'http://localhost/space/foo%20bar%20bar.html'
+      },
+      [
+        `${rootPath}space/foo bar bar.html`
+      ],
+      {
+        path: `${rootPath}space/foo bar bar.html`,
+        contentType: 'text/html'
+      })
+
+    itMapsUrl(mapper, 'a URL of a new file with encoded characters',
+      {
+        url: 'http://localhost/space%2Ffoo%20bar%20bar.html',
+        contentType: 'text/html',
+        createIfNotExists: true
+      },
+      {
+        path: `${rootPath}space/foo bar bar.html`,
+        contentType: 'text/html'
+      })
+
     // Security cases
 
     itMapsUrl(mapper, 'a URL with an unknown content type',
@@ -183,6 +206,12 @@ describe('ResourceMapper', () => {
       },
       new Error('Disallowed /.. segment in URL'))
 
+    itMapsUrl(mapper, 'a URL with an encoded /.. path segment',
+      {
+        url: 'http://localhost/space%2F..%2Fbar'
+      },
+      new Error('Disallowed /.. segment in URL'))
+
     // File to URL mapping
 
     itMapsFile(mapper, 'an HTML file',
@@ -254,6 +283,13 @@ describe('ResourceMapper', () => {
         url: 'http://localhost/space/foo',
         contentType: 'text/html'
       })
+
+    itMapsFile(mapper, 'a file with disallowed IRI characters',
+      { path: `${rootPath}space/foo bar bar.html` },
+      {
+        url: 'http://localhost/space/foo%20bar%20bar.html',
+        contentType: 'text/html'
+      })
   })
 
   describe('A ResourceMapper instance for a multi-host setup', () => {