HTTP requests to Ubuntu archive with path traversal in the URL not working in restricted environment #255
Description
When running either chisel cut or chisel debug check-release-archives commands, I receive the following error:
Error: Get "http://archive.ubuntu.com/ubuntu/dists/plucky-updates/../../pool/main/a/apparmor/apparmor_4.1.0~beta5-0ubuntu14.2_amd64.deb": EOF
I have found that the issue is caused due to the fact that there is path traversal in the urls being requested from the Ubuntu archive in archive.go, and at my company we have a VPN in place which blocks these types of urls as path traversal is flagged by the VPN as a potential method of attack used to compromise systems.
I've just come up with a minimal example that illustrates my issue:
client := &http.Client{}
// Request with path traversal (is blocked by my company VPN)
req, err := http.NewRequest("GET", "http://archive.ubuntu.com/ubuntu/dists/plucky-updates/../../pool/main/a/apparmor/apparmor_4.1.0~beta5-0ubuntu14.2_amd64.deb", nil)
resp, err := client.Do(req)
// Request without path traversal (is not blocked by company VPN)
req, err := http.NewRequest("GET", "http://archive.ubuntu.com/ubuntu/pool/main/a/apparmor/apparmor_4.1.0~beta5-0ubuntu14.2_amd64.deb", nil)
resp, err := client.Do(req)I assume that this isn't an issue for most people, but I believe that there would be no regression if the Ubuntu archive request url is updated to remove the "../" path traversal and instead just contain the resolved url?