fix(utils): handle sanitizing multi-level relative paths (#10640)

glowcloud · David Vogel · web-flow · commit 58aff59a4cd1 · 2025-11-19T13:59:47.000+01:00
Fixes #4107 --------- Co-authored-by: David Vogel <david.vogel@siemens.com>
diff --git a/src/core/utils/url.js b/src/core/utils/url.js
@@ -61,15 +61,14 @@ export function sanitizeUrl(url) {
       if (urlTrimmed.startsWith("/")) {
         return `${urlObject.pathname}${urlObject.search}${urlObject.hash}`
       }
-    
-      if (urlTrimmed.startsWith("./")) {
-        return `.${urlObject.pathname}${urlObject.search}${urlObject.hash}`
-      }
-    
-      if (urlTrimmed.startsWith("../")) {
-        return `..${urlObject.pathname}${urlObject.search}${urlObject.hash}`
+
+      // Handle relative paths (./path, ../path, ./../../path, etc.)
+      if (urlTrimmed.startsWith("./") || urlTrimmed.startsWith("../")) {
+        const relativePath = urlTrimmed.match(/^(\.\.?\/)+/)[0]
+        const remainingPath = urlObject.pathname.substring(1)
+        return `${relativePath}${remainingPath}${urlObject.search}${urlObject.hash}`
       }
-    
+
       return `${urlObject.pathname.substring(1)}${urlObject.search}${urlObject.hash}`
     }
 
@@ -78,4 +77,3 @@ export function sanitizeUrl(url) {
     return blankURL
   }
 }
-
diff --git a/test/unit/core/utils.js b/test/unit/core/utils.js
@@ -1486,6 +1486,10 @@ describe("utils", () => {
       expect(sanitizeUrl("./openapi.json")).toEqual("./openapi.json")
       expect(sanitizeUrl("..openapi.json")).toEqual("..openapi.json")
       expect(sanitizeUrl("../openapi.json")).toEqual("../openapi.json")
+      expect(sanitizeUrl("../../openapi.json")).toEqual("../../openapi.json")
+      expect(sanitizeUrl("../../../openapi.json")).toEqual("../../../openapi.json")
+      expect(sanitizeUrl("../../../../openapi.json")).toEqual("../../../../openapi.json")
+      expect(sanitizeUrl("./../../../openapi.json")).toEqual("./../../../openapi.json")
     })
 
     it("should gracefully handle empty strings", () => {

Original file line number	Diff line number	Diff line change
`@@ -61,15 +61,14 @@ export function sanitizeUrl(url) {`
`61`	`61`	`if (urlTrimmed.startsWith("/")) {`
`62`	`62`	return `${urlObject.pathname}${urlObject.search}${urlObject.hash}`
`63`	`63`	`}`
`64`		`-`
`65`		`- if (urlTrimmed.startsWith("./")) {`
`66`		- return `.${urlObject.pathname}${urlObject.search}${urlObject.hash}`
`67`		`- }`
`68`		`-`
`69`		`- if (urlTrimmed.startsWith("../")) {`
`70`		- return `..${urlObject.pathname}${urlObject.search}${urlObject.hash}`
	`64`	`+`
	`65`	`+ // Handle relative paths (./path, ../path, ./../../path, etc.)`
	`66`	`+ if (urlTrimmed.startsWith("./") \|\| urlTrimmed.startsWith("../")) {`
	`67`	`+ const relativePath = urlTrimmed.match(/^(\.\.?\/)+/)[0]`
	`68`	`+ const remainingPath = urlObject.pathname.substring(1)`
	`69`	+ return `${relativePath}${remainingPath}${urlObject.search}${urlObject.hash}`
`71`	`70`	`}`
`72`		`-`
	`71`	`+`
`73`	`72`	return `${urlObject.pathname.substring(1)}${urlObject.search}${urlObject.hash}`
`74`	`73`	`}`
`75`	`74`
`@@ -78,4 +77,3 @@ export function sanitizeUrl(url) {`
`78`	`77`	`return blankURL`
`79`	`78`	`}`
`80`	`79`	`}`
`81`		`-`