checkURLPathTraversal returns ErrPathForbidden if urlStr contains ".." as a path segment (e.g. "a/../b"), preventing path traversal attacks. It does not match ".." embedded within a segment (e.g. "file..txt"). The check is performed only on the path portion of the URL, ignoring any query string or f
(urlStr string)
| 866 | // performed only on the path portion of the URL, ignoring any query string or |
| 867 | // fragment. |
| 868 | func checkURLPathTraversal(urlStr string) error { |
| 869 | if !strings.Contains(urlStr, "..") { |
| 870 | return nil |
| 871 | } |
| 872 | u, err := url.Parse(urlStr) |
| 873 | if err != nil { |
| 874 | return err |
| 875 | } |
| 876 | if slices.Contains(strings.Split(u.Path, "/"), "..") { |
| 877 | return ErrPathForbidden |
| 878 | } |
| 879 | return nil |
| 880 | } |
| 881 | |
| 882 | // NewUploadRequest creates an upload request. A relative URL can be provided in |
| 883 | // urlStr, in which case it is resolved relative to the UploadURL of the Client. |
no outgoing calls
searching dependent graphs…