Fix escaping of subpaths

mattt · mattt · commit b2740de77e1a · 2025-03-21T12:31:50.000-07:00
diff --git a/lib/package_url.rb b/lib/package_url.rb
@@ -95,7 +95,7 @@ def self.parse(string)
     in String => remainder, separator, String => subpath unless separator.empty?
       components[:subpath] = subpath.split('/').select do |segment|
         !segment.empty? && segment != '.' && segment != '..'
-      end.compact.join('/')
+      end.map { |segment| URI.decode_www_form_component(segment) }.compact.join('/')
 
       string = remainder
     else
@@ -160,7 +160,7 @@ def self.parse(string)
     case string.partition('/')
     in String => type, separator, remainder unless separator.empty?
       components[:type] = type
-      
+
       string = remainder
     else
       raise InvalidPackageURL, 'invalid or missing package type'
@@ -344,7 +344,13 @@ def to_s
       subpath.delete_prefix('/').delete_suffix('/').split('/').each do |segment|
         next if segment.empty? || segment == '.' || segment == '..'
 
-        segments << URI.encode_www_form_component(segment)
+        # Custom encoding for URL fragment segments:
+        # 1. Explicitly encode % as %25 to prevent double-encoding issues
+        # 2. Percent-encode special characters according to URL fragment rules
+        # 3. This ensures proper round-trip encoding/decoding with the parse method
+        segments << segment.gsub(/%|[^A-Za-z0-9\-\._~]/) { |m|
+          m == '%' ? '%25' : "%%%02X" % m.ord
+        }
       end
 
       unless segments.empty?
diff --git a/spec/package_url_spec.rb b/spec/package_url_spec.rb
@@ -188,6 +188,51 @@
       it { should have_description 'pkg:rpm/fedora/curl@7.50.3-1.fc25?arch=i386&distro=fedora-25' }
     end
 
+    context 'with escaped subpath characters', url: 'pkg:type/name#path/with/%25/percent' do
+      it {
+        should have_attributes type: 'type',
+                               namespace: nil,
+                               name: 'name',
+                               version: nil,
+                               qualifiers: nil,
+                               subpath: 'path/with/%/percent'
+      }
+
+      it 'should properly round-trip the URL' do
+        expect(subject.to_s).to eq('pkg:type/name#path/with/%25/percent')
+      end
+    end
+
+    context 'with multiple escaped subpath characters', url: 'pkg:type/name#path/%20space/%3Fquery/%25percent' do
+      it {
+        should have_attributes type: 'type',
+                               namespace: nil,
+                               name: 'name',
+                               version: nil,
+                               qualifiers: nil,
+                               subpath: 'path/ space/?query/%percent'
+      }
+      
+      it 'should properly round-trip the URL' do
+        expect(subject.to_s).to eq('pkg:type/name#path/%20space/%3Fquery/%25percent')
+      end
+    end
+
+    context 'with the specific issue case', url: 'pkg:t/n#%25' do
+      it {
+        should have_attributes type: 't',
+                               namespace: nil,
+                               name: 'n',
+                               version: nil,
+                               qualifiers: nil,
+                               subpath: '%'
+      }
+      
+      it 'should properly round-trip the URL' do
+        expect(subject.to_s).to eq('pkg:t/n#%25')
+      end
+    end
+
     context 'with URLs containing extra slashes after scheme' do
       it 'should parse pkg:/type/namespace/name correctly' do
         purl = PackageURL.parse('pkg:/maven/org.apache.commons/io')
