From bc3d4e1c49b204bca32bfb7e29bde4f35bc12f19 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Hannes=20K=C3=B6rber?= <hannes@hkoerber.de>
Date: Fri, 27 May 2022 23:37:54 +0200
Subject: [PATCH] Properly escape URL parameters

---
 Cargo.lock             | 10 ++++++++++
 Cargo.toml             |  3 +++
 src/provider/github.rs |  5 +++--
 src/provider/gitlab.rs |  5 +++--
 src/provider/mod.rs    |  4 ++++
 5 files changed, 23 insertions(+), 4 deletions(-)

diff --git a/Cargo.lock b/Cargo.lock
index 086f464..a18aa39 100644
--- a/Cargo.lock
+++ b/Cargo.lock
@@ -347,6 +347,7 @@ dependencies = [
  "shellexpand",
  "tempdir",
  "toml",
+ "url-escape",
 ]
 
 [[package]]
@@ -1189,6 +1190,15 @@ dependencies = [
  "percent-encoding",
 ]
 
+[[package]]
+name = "url-escape"
+version = "0.1.1"
+source = "registry+https://github.com/rust-lang/crates.io-index"
+checksum = "44e0ce4d1246d075ca5abec4b41d33e87a6054d08e2366b63205665e950db218"
+dependencies = [
+ "percent-encoding",
+]
+
 [[package]]
 name = "vcpkg"
 version = "0.2.15"
diff --git a/Cargo.toml b/Cargo.toml
index 7d068e2..249c5af 100644
--- a/Cargo.toml
+++ b/Cargo.toml
@@ -78,5 +78,8 @@ features = ["json"]
 [dependencies.parse_link_header]
 version = "=0.3.2"
 
+[dependencies.url-escape]
+version = "=0.1.1"
+
 [dev-dependencies.tempdir]
 version = "=0.3.7"
diff --git a/src/provider/github.rs b/src/provider/github.rs
index 3a843c3..e721ca3 100644
--- a/src/provider/github.rs
+++ b/src/provider/github.rs
@@ -1,5 +1,6 @@
 use serde::Deserialize;
 
+use super::escape;
 use super::ApiErrorResponse;
 use super::Filter;
 use super::JsonError;
@@ -108,7 +109,7 @@ impl Provider for Github {
         user: &str,
     ) -> Result<Vec<GithubProject>, ApiErrorResponse<GithubApiErrorResponse>> {
         self.call_list(
-            &format!("{GITHUB_API_BASEURL}/users/{user}/repos"),
+            &format!("{GITHUB_API_BASEURL}/users/{}/repos", escape(user)),
             Some(ACCEPT_HEADER_JSON),
         )
     }
@@ -118,7 +119,7 @@ impl Provider for Github {
         group: &str,
     ) -> Result<Vec<GithubProject>, ApiErrorResponse<GithubApiErrorResponse>> {
         self.call_list(
-            &format!("{GITHUB_API_BASEURL}/orgs/{group}/repos?type=all"),
+            &format!("{GITHUB_API_BASEURL}/orgs/{}/repos?type=all", escape(group)),
             Some(ACCEPT_HEADER_JSON),
         )
     }
diff --git a/src/provider/gitlab.rs b/src/provider/gitlab.rs
index ccadd7f..120ba8a 100644
--- a/src/provider/gitlab.rs
+++ b/src/provider/gitlab.rs
@@ -1,5 +1,6 @@
 use serde::Deserialize;
 
+use super::escape;
 use super::ApiErrorResponse;
 use super::Filter;
 use super::JsonError;
@@ -125,7 +126,7 @@ impl Provider for Gitlab {
         user: &str,
     ) -> Result<Vec<GitlabProject>, ApiErrorResponse<GitlabApiErrorResponse>> {
         self.call_list(
-            &format!("{}/api/v4/users/{}/projects", self.api_url(), user),
+            &format!("{}/api/v4/users/{}/projects", self.api_url(), escape(user)),
             Some(ACCEPT_HEADER_JSON),
         )
     }
@@ -138,7 +139,7 @@ impl Provider for Gitlab {
             &format!(
                 "{}/api/v4/groups/{}/projects?include_subgroups=true&archived=false",
                 self.api_url(),
-                group
+                escape(group),
             ),
             Some(ACCEPT_HEADER_JSON),
         )
diff --git a/src/provider/mod.rs b/src/provider/mod.rs
index 1e59bd4..edfc74d 100644
--- a/src/provider/mod.rs
+++ b/src/provider/mod.rs
@@ -28,6 +28,10 @@ enum ProjectResponse<T, U> {
     Failure(U),
 }
 
+pub fn escape(s: &str) -> String {
+    url_escape::encode_component(s).to_string()
+}
+
 pub trait Project {
     fn into_repo_config(
         self,