Apply moar review feedback.

fastly · Sep 8, 2024 · ba653cc · ba653cc
1 parent 6ec5f86
commit ba653cc
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/fastly/helpers.go b/fastly/helpers.go
@@ -36,12 +36,16 @@ func NullString(v string) *string {
 
 // ToSafeURL produces a safe (no path traversal, no unsafe characters) URL
 // from the path components passed in.
+//
+// Unlike the normal behavior of url.JoinPath, this function skips
+// ".." components, ensuring that user-provided components cannot
+// remove code-provided components from the resulting path.
 func ToSafeURL(unsafeComponents ...string) string {
 	safeComponents := make([]string, len(unsafeComponents))
 
 	for i := range unsafeComponents {
-		if component := unsafeComponents[i]; component != ".." {
-			safeComponents[i] = url.PathEscape(component)
+		if unsafeComponents[i] != ".." {
+			safeComponents[i] = url.PathEscape(unsafeComponents[i])
 		}
 	}