hls, webrtc: prevent XSS attack when appending slash to paths (#2766) (#2767) (#2772)

2025-12-24 20:11:56 -08:00 · 2023-12-01 20:54:18 +01:00 · 2023-12-01 20:54:18 +01:00 · aade2eedb9
commit aade2eedb9
parent 4ccb245feb
4 changed files with 50 additions and 10 deletions
--- a/internal/protocols/httpserv/location_with_trailing_slash.go
+++ b/internal/protocols/httpserv/location_with_trailing_slash.go
@ -0,0 +1,12 @@
+package httpserv
+
+import "net/url"
+
+// LocationWithTrailingSlash returns the URL in a relative format, with a trailing slash.
+func LocationWithTrailingSlash(u *url.URL) string {
+	l := "./" + u.Path[1:] + "/"
+	if u.RawQuery != "" {
+		l += "?" + u.RawQuery
+	}
+	return l
+}
--- a/internal/protocols/httpserv/location_with_trailing_slash_test.go
+++ b/internal/protocols/httpserv/location_with_trailing_slash_test.go
@ -0,0 +1,36 @@
+package httpserv
+
+import (
+	"net/url"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+)
+
+func TestLocationWithTrailingSlash(t *testing.T) {
+	for _, ca := range []struct {
+		name string
+		url  *url.URL
+		loc  string
+	}{
+		{
+			"with query",
+			&url.URL{
+				Path:     "/test",
+				RawQuery: "key=value",
+			},
+			"./test/?key=value",
+		},
+		{
+			"xss",
+			&url.URL{
+				Path: "/www.example.com",
+			},
+			"./www.example.com/",
+		},
+	} {
+		t.Run(ca.name, func(t *testing.T) {
+			require.Equal(t, ca.loc, LocationWithTrailingSlash(ca.url))
+		})
+	}
+}