MCPcopy Index your code
hub / github.com/google/go-github / checkURLPathTraversal

Function checkURLPathTraversal

github/github.go:868–880  ·  view source on GitHub ↗

checkURLPathTraversal returns ErrPathForbidden if urlStr contains ".." as a path segment (e.g. "a/../b"), preventing path traversal attacks. It does not match ".." embedded within a segment (e.g. "file..txt"). The check is performed only on the path portion of the URL, ignoring any query string or f

(urlStr string)

Source from the content-addressed store, hash-verified

866// performed only on the path portion of the URL, ignoring any query string or
867// fragment.
868func checkURLPathTraversal(urlStr string) error {
869 if !strings.Contains(urlStr, "..") {
870 return nil
871 }
872 u, err := url.Parse(urlStr)
873 if err != nil {
874 return err
875 }
876 if slices.Contains(strings.Split(u.Path, "/"), "..") {
877 return ErrPathForbidden
878 }
879 return nil
880}
881
882// NewUploadRequest creates an upload request. A relative URL can be provided in
883// urlStr, in which case it is resolved relative to the UploadURL of the Client.

Callers 4

NewRequestMethod · 0.85
NewFormRequestMethod · 0.85
NewUploadRequestMethod · 0.85

Calls

no outgoing calls

Tested by 1

Used in the wild real call sites across dependent graphs

searching dependent graphs…