[release-branch.go1.19] net/url: consistently remove ../ elements in JoinPath

JoinPath would fail to remove relative elements from the start of the path when the first path element is "". In addition, JoinPath would return the original path unmodified when provided with no elements to join, violating the documented behavior of always cleaning the resulting path. Correct both these cases. JoinPath("http://go.dev", "../go") // before: http://go.dev/../go // after: http://go.dev/go JoinPath("http://go.dev/../go") // before: http://go.dev/../go // after: http://go.dev/go For #54385. Fixes #54635. Fixes CVE-2022-32190. Change-Id: I6d22cd160d097c50703dd96e4f453c6c118fd5d9 Reviewed-on: https://go-review.googlesource.com/c/go/+/423514 Reviewed-by: David Chase <drchase@google.com> Reviewed-by: Alan Donovan <adonovan@google.com> (cherry picked from commit 0765da5884adcc8b744979303a36a27092d8fc51) Reviewed-on: https://go-review.googlesource.com/c/go/+/425357 Run-TryBot: Damien Neil <dneil@google.com> TryBot-Result: Gopher Robot <gobot@golang.org>
author: Damien Neil <dneil@google.com> 2022-08-12 16:21:09 -0700
committer: Heschi Kreinick <heschi@google.com> 2022-08-29 19:13:49 +0000
commit: 28335508913a46e05ef0c04a18e8a1a6beb775ec (patch)
tree: 1e22430b8e4185751d1285421ec57017cf0dab83
parent: d2bcb22ce07ffbbdefe1370dec597b35d8d58e81 (diff)
download: go-28335508913a46e05ef0c04a18e8a1a6beb775ec.tar.gz
go-28335508913a46e05ef0c04a18e8a1a6beb775ec.zip
2 files changed, 72 insertions, 11 deletions
diff --git a/src/net/url/url.go b/src/net/url/url.go
index e82ae6aeef..d7d2d54a0d 100644
--- a/src/net/url/url.go
+++ b/src/net/url/url.go
@@ -1191,17 +1191,23 @@ func (u *URL) UnmarshalBinary(text []byte) error {
 // any existing path and the resulting path cleaned of any ./ or ../ elements.
 // Any sequences of multiple / characters will be reduced to a single /.
 func (u *URL) JoinPath(elem ...string) *URL {
-	url := *u
-	if len(elem) > 0 {
-		elem = append([]string{u.EscapedPath()}, elem...)
-		p := path.Join(elem...)
-		// path.Join will remove any trailing slashes.
-		// Preserve at least one.
-		if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
-			p += "/"
-		}
-		url.setPath(p)
+	elem = append([]string{u.EscapedPath()}, elem...)
+	var p string
+	if !strings.HasPrefix(elem[0], "/") {
+		// Return a relative path if u is relative,
+		// but ensure that it contains no ../ elements.
+		elem[0] = "/" + elem[0]
+		p = path.Join(elem...)[1:]
+	} else {
+		p = path.Join(elem...)
 	}
+	// path.Join will remove any trailing slashes.
+	// Preserve at least one.
+	if strings.HasSuffix(elem[len(elem)-1], "/") && !strings.HasSuffix(p, "/") {
+		p += "/"
+	}
+	url := *u
+	url.setPath(p)
 	return &url
 }
 
diff --git a/src/net/url/url_test.go b/src/net/url/url_test.go
index 263eddffcf..577cf631c8 100644
--- a/src/net/url/url_test.go
+++ b/src/net/url/url_test.go
@@ -2082,6 +2082,26 @@ func TestJoinPath(t *testing.T) {
 		},
 		{
 			base: "https://go.googlesource.com/",
+			elem: []string{"../go"},
+			out:  "https://go.googlesource.com/go",
+		},
+		{
+			base: "https://go.googlesource.com",
+			elem: []string{"../go"},
+			out:  "https://go.googlesource.com/go",
+		},
+		{
+			base: "https://go.googlesource.com",
+			elem: []string{"../go", "../../go", "../../../go"},
+			out:  "https://go.googlesource.com/go",
+		},
+		{
+			base: "https://go.googlesource.com/../go",
+			elem: nil,
+			out:  "https://go.googlesource.com/go",
+		},
+		{
+			base: "https://go.googlesource.com/",
 			elem: []string{"./go"},
 			out:  "https://go.googlesource.com/go",
 		},
@@ -2112,7 +2132,7 @@ func TestJoinPath(t *testing.T) {
 		{
 			base: "https://go.googlesource.com",
 			elem: nil,
-			out:  "https://go.googlesource.com",
+			out:  "https://go.googlesource.com/",
 		},
 		{
 			base: "https://go.googlesource.com/",
@@ -2130,10 +2150,45 @@ func TestJoinPath(t *testing.T) {
 			out:  "https://go.googlesource.com/a%2fb/c%2fd",
 		},
 		{
+			base: "https://go.googlesource.com/a/b",
+			elem: []string{"/go"},
+			out:  "https://go.googlesource.com/a/b/go",
+		},
+		{
 			base: "/",
 			elem: nil,
 			out:  "/",
 		},
+		{
+			base: "a",
+			elem: nil,
+			out:  "a",
+		},
+		{
+			base: "a",
+			elem: []string{"b"},
+			out:  "a/b",
+		},
+		{
+			base: "a",
+			elem: []string{"../b"},
+			out:  "b",
+		},
+		{
+			base: "a",
+			elem: []string{"../../b"},
+			out:  "b",
+		},
+		{
+			base: "",
+			elem: []string{"a"},
+			out:  "a",
+		},
+		{
+			base: "",
+			elem: []string{"../a"},
+			out:  "a",
+		},
 	}
 	for _, tt := range tests {
 		wantErr := "nil"
author	Damien Neil <dneil@google.com>	2022-08-12 16:21:09 -0700
committer	Heschi Kreinick <heschi@google.com>	2022-08-29 19:13:49 +0000
commit	28335508913a46e05ef0c04a18e8a1a6beb775ec (patch)
tree	1e22430b8e4185751d1285421ec57017cf0dab83
parent	d2bcb22ce07ffbbdefe1370dec597b35d8d58e81 (diff)
download	go-28335508913a46e05ef0c04a18e8a1a6beb775ec.tar.gz go-28335508913a46e05ef0c04a18e8a1a6beb775ec.zip