Skip to content

Commit 58aff59

Browse files
glowcloudDavid Vogel
andauthored
fix(utils): handle sanitizing multi-level relative paths (#10640)
Fixes #4107 --------- Co-authored-by: David Vogel <[email protected]>
1 parent 85f0c5f commit 58aff59

File tree

2 files changed

+11
-9
lines changed

2 files changed

+11
-9
lines changed

src/core/utils/url.js

Lines changed: 7 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -61,15 +61,14 @@ export function sanitizeUrl(url) {
6161
if (urlTrimmed.startsWith("/")) {
6262
return `${urlObject.pathname}${urlObject.search}${urlObject.hash}`
6363
}
64-
65-
if (urlTrimmed.startsWith("./")) {
66-
return `.${urlObject.pathname}${urlObject.search}${urlObject.hash}`
67-
}
68-
69-
if (urlTrimmed.startsWith("../")) {
70-
return `..${urlObject.pathname}${urlObject.search}${urlObject.hash}`
64+
65+
// Handle relative paths (./path, ../path, ./../../path, etc.)
66+
if (urlTrimmed.startsWith("./") || urlTrimmed.startsWith("../")) {
67+
const relativePath = urlTrimmed.match(/^(\.\.?\/)+/)[0]
68+
const remainingPath = urlObject.pathname.substring(1)
69+
return `${relativePath}${remainingPath}${urlObject.search}${urlObject.hash}`
7170
}
72-
71+
7372
return `${urlObject.pathname.substring(1)}${urlObject.search}${urlObject.hash}`
7473
}
7574

@@ -78,4 +77,3 @@ export function sanitizeUrl(url) {
7877
return blankURL
7978
}
8079
}
81-

test/unit/core/utils.js

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -1486,6 +1486,10 @@ describe("utils", () => {
14861486
expect(sanitizeUrl("./openapi.json")).toEqual("./openapi.json")
14871487
expect(sanitizeUrl("..openapi.json")).toEqual("..openapi.json")
14881488
expect(sanitizeUrl("../openapi.json")).toEqual("../openapi.json")
1489+
expect(sanitizeUrl("../../openapi.json")).toEqual("../../openapi.json")
1490+
expect(sanitizeUrl("../../../openapi.json")).toEqual("../../../openapi.json")
1491+
expect(sanitizeUrl("../../../../openapi.json")).toEqual("../../../../openapi.json")
1492+
expect(sanitizeUrl("./../../../openapi.json")).toEqual("./../../../openapi.json")
14891493
})
14901494

14911495
it("should gracefully handle empty strings", () => {

0 commit comments

Comments
 (0)