Fix resolve_relative_url to handle multi-level relative paths

Signed-off-by: Kai Hodžić <hodzic.e.k@outlook.com>

Author: voidpetal

src/python_inspector/utils_pypi.py

@@ -26,6 +26,7 @@
 from typing import Union
 from urllib.parse import quote_plus
 from urllib.parse import unquote
+from urllib.parse import urljoin
 from urllib.parse import urlparse
 from urllib.parse import urlunparse
 
@@ -1631,26 +1632,21 @@ async def fetch_links(
 
 def resolve_relative_url(package_url, url):
     """
-    Return the resolved `url` URLstring given a `package_url` base URL string
+    Return the resolved `url` URL string given a `package_url` base URL string
     of a package.
 
+    Per PEP 503, links in the simple index may be relative. Use stdlib urljoin
+    which correctly handles multi-level '../' traversal and path normalization.
+
     For example:
-    >>> resolve_relative_url("https://example.com/package", "../path/file.txt")
+    >>> resolve_relative_url("https://example.com/package/", "../path/file.txt")
     'https://example.com/path/file.txt'
+    >>> resolve_relative_url("https://example.com/simple/pkg/", "../../packages/file.whl")
+    'https://example.com/packages/file.whl'
+    >>> resolve_relative_url("https://example.com/a/b/c/", "https://other.com/file.whl")
+    'https://other.com/file.whl'
     """
-    if not url.startswith(("http://", "https://")):
-        base_url_parts = urlparse(package_url)
-        url_parts = urlparse(url)
-        # If the relative URL starts with '..', remove the last directory from the base URL
-        if url_parts.path.startswith(".."):
-            path = base_url_parts.path.rstrip("/").rsplit("/", 1)[0] + url_parts.path[2:]
-        else:
-            path = urlunparse(
-                ("", "", url_parts.path, url_parts.params, url_parts.query, url_parts.fragment)
-            )
-        resolved_url_parts = base_url_parts._replace(path=path)
-        url = urlunparse(resolved_url_parts)
-    return url
+    return urljoin(package_url, url)
 
 
 ################################################################################

tests/test_utils.py

@@ -23,6 +23,7 @@
 from python_inspector.resolution import fetch_and_extract_sdist
 from python_inspector.utils import get_netrc_auth
 from python_inspector.utils_pypi import PypiSimpleRepository
+from python_inspector.utils_pypi import resolve_relative_url
 from python_inspector.utils_pypi import valid_python_version
 
 test_env = FileDrivenTesting()
@@ -164,3 +165,28 @@ def test_parse_reqs_with_setup_requires_and_python_requires():
 def test_valid_python_version():
     assert valid_python_version("3.8", ">3.1")
     assert not valid_python_version("3.8.1", ">3.9")
+
+
+def test_resolve_relative_url_multi_level():
+    base = "https://example.com/api/pypi/repo/simple/pkg/"
+    rel = "../../packages/packages/d9/0b/hash/file-1.0-cp310-linux.whl"
+    result = resolve_relative_url(base, rel)
+    assert (
+        result
+        == "https://example.com/api/pypi/repo/packages/packages/d9/0b/hash/file-1.0-cp310-linux.whl"
+    )
+    assert "/../" not in result
+
+
+def test_resolve_relative_url_single_level():
+    base = "https://example.com/simple/pkg/"
+    rel = "../other/file.whl"
+    result = resolve_relative_url(base, rel)
+    assert result == "https://example.com/simple/other/file.whl"
+
+
+def test_resolve_relative_url_absolute():
+    base = "https://example.com/simple/pkg/"
+    rel = "https://files.pythonhosted.org/packages/file.whl"
+    result = resolve_relative_url(base, rel)
+    assert result == "https://files.pythonhosted.org/packages/file.whl"