fix: narinfo should return NAR URL normalized [backport #843]

[kalbasit]

Bot-based backport to release-0.8, triggered by a label in #843.

When computing a narinfo, normalize the embedded URL before returning
it.

[gemini-code-assist]

Summary of Changes

Hello @kalbasit, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request addresses an issue where the narinfo endpoint could return NAR URLs that were incorrectly prefixed, leading to failures when attempting to fetch the actual NARs. The changes implement robust URL normalization within the narinfo response, ensuring that the provided NAR URL is always in the correct format. This significantly improves the reliability of NAR fetching from the server.

Highlights

• NAR URL Normalization: The getNarInfo handler now normalizes the NAR URL embedded within the narinfo response. This ensures that any narinfo hash prefixes are removed, making the URL consistent with how NARs are actually served and preventing potential fetching issues.
• Race Condition Prevention: A copy of the narInfo object is now created before modification to prevent potential race conditions when normalizing the URL.
• Comprehensive Test Coverage: A new, detailed test case has been added to server_test.go to explicitly verify that the narinfo endpoint returns a correctly normalized NAR URL, including a full end-to-end check that the NAR can be fetched using the normalized URL.

Changelog

• pkg/server/server.go
  • Copied the narInfo object to avoid race conditions during modification.
  • Added logic to parse and normalize the narInfo.URL by removing any narinfo hash prefixes.
  • Included error handling for NAR URL parsing.
• pkg/server/server_test.go
  • Introduced a new test "returns normalized URL in narinfo response" to validate the NAR URL normalization.
  • The test sets up a scenario with a prefixed NAR URL in a narinfo and asserts that the server returns a normalized URL, and that the NAR can be successfully fetched using this normalized URL.

Activity

• This is a bot-based backport to the release-0.8 branch, initiated by a label in the original pull request fix: narinfo should return NAR URL normalized #843.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[dosubot]

Related Documentation

Checked 7 published document(s) in 1 knowledge base(s). No updates required.

^{How did I do? Any feedback?}  

[gemini-code-assist]

Code Review

This pull request correctly normalizes NAR URLs within narinfo responses, addressing an issue where upstream caches might provide URLs with a narinfo hash prefix that the server cannot serve. While the implementation demonstrates good practices like defensive copying, proper error handling, and thorough integration testing, the Normalize function in pkg/nar/url.go introduces several critical security and portability flaws. These include platform-dependent behavior on Windows and a fail-open validation logic, which must be resolved to ensure the server remains secure and compatible across different operating systems.