From 2a79ea148dd66dc5c0dd2cc0d44f886cf1483a2d Mon Sep 17 00:00:00 2001
From: seipan <yamasakipann0218@gmail.com>
Date: Thu, 21 Aug 2025 17:17:56 +0900
Subject: [PATCH] fix: url.ParseRequestURI before http.Get

Signed-off-by: seipan <yamasakipann0218@gmail.com>
---
 api/internal/loader/fileloader.go      |  6 +++++-
 api/internal/loader/fileloader_test.go | 12 ++++++++++++
 2 files changed, 17 insertions(+), 1 deletion(-)

diff --git a/api/internal/loader/fileloader.go b/api/internal/loader/fileloader.go
index 028fd77960..e4202815c9 100644
--- a/api/internal/loader/fileloader.go
+++ b/api/internal/loader/fileloader.go
@@ -311,7 +311,11 @@ func (fl *FileLoader) httpClientGetContent(path string) ([]byte, error) {
 	} else {
 		hc = &http.Client{}
 	}
-	resp, err := hc.Get(path)
+	parsedURL, err := url.ParseRequestURI(path)
+	if err != nil {
+		return nil, errors.Wrap(err)
+	}
+	resp, err := hc.Get(parsedURL.String())
 	if err != nil {
 		return nil, errors.Wrap(err)
 	}
diff --git a/api/internal/loader/fileloader_test.go b/api/internal/loader/fileloader_test.go
index fc33a87235..d84ecbfb1d 100644
--- a/api/internal/loader/fileloader_test.go
+++ b/api/internal/loader/fileloader_test.go
@@ -676,3 +676,15 @@ func setupOnDisk(t *testing.T) (filesys.FileSystem, filesys.ConfirmedDir) {
 	})
 	return fSys, dir
 }
+
+// TestLoaderHTTPMalformedURL tests that malformed URLs are properly handled
+// to prevent infinite loops in http.Client.Get
+func TestLoaderHTTPMalformedURL(t *testing.T) {
+	require := require.New(t)
+	malformedURL := "https://example.com/example?ref=main - ../../example/example.yaml"
+	l1 := NewLoaderOrDie(
+		RestrictionRootOnly, MakeFakeFs([]testData{}), filesys.Separator)
+	_, err := l1.Load(malformedURL)
+	require.Error(err)
+	require.Equal("HTTP Error: status code 500 (Internal Server Error)", err.Error())
+}