Replace tool.IsMaliciousPath with pathutil.Clean and move IsSameSite to urlutil (#8106)

2026-05-07 02:17:04 +02:00 · 2026-01-23 21:13:27 -05:00
parent a7bc1637db
commit 1cdeef2ce8
9 changed files with 47 additions and 78 deletions
--- a/internal/urlutil/urlutil.go
+++ b/internal/urlutil/urlutil.go
@@ -0,0 +1,6 @@
+package urlutil
+
+// IsSameSite returns true if the URL path belongs to the same site.
+func IsSameSite(url string) bool {
+	return len(url) >= 2 && url[0] == '/' && url[1] != '/' && url[1] != '\\'
+}
--- a/internal/urlutil/urlutil_test.go
+++ b/internal/urlutil/urlutil_test.go
@@ -0,0 +1,28 @@
+package urlutil
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsSameSite(t *testing.T) {
+	tests := []struct {
+		url  string
+		want bool
+	}{
+		{url: "//github.com", want: false},
+		{url: "http://github.com", want: false},
+		{url: "https://github.com", want: false},
+		{url: "/\\github.com", want: false},
+
+		{url: "/admin", want: true},
+		{url: "/user/repo", want: true},
+	}
+
+	for _, test := range tests {
+		t.Run(test.url, func(t *testing.T) {
+			assert.Equal(t, test.want, IsSameSite(test.url))
+		})
+	}
+}