From 037a4c95699376150fa69d58f9d8263819529d55 Mon Sep 17 00:00:00 2001
From: Peter Lobsinger <plobsing@gmail.com>
Date: Thu, 30 Nov 2023 05:04:22 -0800
Subject: [PATCH] fix: avoid double-escaping in url_escape (#30)

Because the escapes for other characters will put `%` into the output
text, we need to perform replacements for `%` first. This ensures that
all chars we replace this way were from the input text and not put there
by some prior replacement step.

The prior implementation would produce double-escaped values for the
following characters:

| Input char | Double-escaped | Fixed   |
| ---------- | -------------- | ------- |
| `" "`      | `"%2520"`      | `"%20"` |
| `"!"`      | `"%2521"`      | `"%21"` |
| `'"'`      | `"%2522"`      | `"%22"` |
| `"#"`      | `"%2523"`      | `"%23"` |
| `"$"`      | `"%2524"`      | `"%24"` |

Co-authored-by: Jason Hall <jason@chainguard.dev>
---
 apko/private/util.bzl | 68 ++++++++++++++++++++++---------------------
 1 file changed, 35 insertions(+), 33 deletions(-)

diff --git a/apko/private/util.bzl b/apko/private/util.bzl
index 51eee5b..03ff8e2 100644
--- a/apko/private/util.bzl
+++ b/apko/private/util.bzl
@@ -1,42 +1,44 @@
 "utility functions"
 
 # Define the list of reserved characters and their percent-encoded values
-_reserved_chars = {
-    " ": "%20",
-    "!": "%21",
-    '"': "%22",
-    "#": "%23",
-    "$": "%24",
-    "%": "%25",
-    "&": "%26",
-    "'": "%27",
-    "(": "%28",
-    ")": "%29",
-    "*": "%2A",
-    "+": "%2B",
-    ",": "%2C",
-    "/": "%2F",
-    ":": "%3A",
-    ";": "%3B",
-    "<": "%3C",
-    "=": "%3D",
-    ">": "%3E",
-    "?": "%3F",
-    "@": "%40",
-    "[": "%5B",
-    "\\": "%5C",
-    "]": "%5D",
-    "^": "%5E",
-    "`": "%60",
-    "{": "%7B",
-    "|": "%7C",
-    "}": "%7D",
-    "~": "%7E",
-}
+_reserved_chars = [
+    # To avoid double-escaping, percent must be handled before any other replacements.
+    ("%", "%25"),
+    #
+    (" ", "%20"),
+    ("!", "%21"),
+    ('"', "%22"),
+    ("#", "%23"),
+    ("$", "%24"),
+    ("&", "%26"),
+    ("'", "%27"),
+    ("(", "%28"),
+    (")", "%29"),
+    ("*", "%2A"),
+    ("+", "%2B"),
+    (",", "%2C"),
+    ("/", "%2F"),
+    (":", "%3A"),
+    (";", "%3B"),
+    ("<", "%3C"),
+    ("=", "%3D"),
+    (">", "%3E"),
+    ("?", "%3F"),
+    ("@", "%40"),
+    ("[", "%5B"),
+    ("\\", "%5C"),
+    ("]", "%5D"),
+    ("^", "%5E"),
+    ("`", "%60"),
+    ("{", "%7B"),
+    ("|", "%7C"),
+    ("}", "%7D"),
+    ("~", "%7E"),
+]
 
 def _url_escape(url):
     """Replace reserved characters with their percent-encoded values"""
-    for char, encoded_value in _reserved_chars.items():
+    for char, encoded_value in _reserved_chars:
         url = url.replace(char, encoded_value)
 
     return url