fix: prohibit the use of slashes in clone identifiers (#558)

Author: agneum

Diff for: engine/internal/srv/server.go

@@ -187,7 +187,7 @@ func (s *Server) Reload(cfg srvCfg.Config) {
 
 // InitHandlers initializes handler functions of the HTTP server.
 func (s *Server) InitHandlers() {
-	r := mux.NewRouter().StrictSlash(true)
+	r := mux.NewRouter().StrictSlash(true).UseEncodedPath()
 
 	authMW := mw.NewAuth(s.Config.VerificationToken, s.Platform)
 

Diff for: engine/internal/validator/validator.go

@@ -7,6 +7,7 @@ package validator
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/pkg/errors"
 	passwordvalidator "github.com/wagslane/go-password-validator"
@@ -34,6 +35,10 @@ func (v Service) ValidateCloneRequest(cloneRequest *types.CloneCreateRequest) er
 		return errors.New("missing DB password")
 	}
 
+	if cloneRequest.ID != "" && strings.Contains(cloneRequest.ID, "/") {
+		return errors.New("Clone ID cannot contain slash ('/'). Please choose another ID")
+	}
+
 	if err := passwordvalidator.Validate(cloneRequest.DB.Password, minEntropyBits); err != nil {
 		return fmt.Errorf("password validation: %w", err)
 	}

Diff for: engine/internal/validator/validator_test.go

@@ -55,6 +55,13 @@ func TestValidationCloneRequestErrors(t *testing.T) {
 			createRequest: types.CloneCreateRequest{DB: &types.DatabaseRequest{Password: "password"}},
 			error:         "missing DB username",
 		},
+		{
+			createRequest: types.CloneCreateRequest{
+				DB: &types.DatabaseRequest{Username: "user", Password: "password"},
+				ID: "test/ID",
+			},
+			error: "Clone ID cannot contain slash ('/'). Please choose another ID",
+		},
 	}
 
 	for _, tc := range testCases {