Skip to content

Fix isDotDot to recognize ..%2e and %2e.. path segments#9453

Open
leno23 wants to merge 1 commit into
square:masterfrom
leno23:fix/isDotDot-missing-encoded-forms
Open

Fix isDotDot to recognize ..%2e and %2e.. path segments#9453
leno23 wants to merge 1 commit into
square:masterfrom
leno23:fix/isDotDot-missing-encoded-forms

Conversation

@leno23
Copy link
Copy Markdown

@leno23 leno23 commented May 25, 2026

Summary

  • Extend HttpUrl.Builder.isDotDot() to treat ..%2e and %2e.. as dot-dot segments, matching RFC 3986 §6.2.2.3 normalization semantics already applied to %2e., .%2e, and %2e%2e.
  • Add regression tests in HttpUrlTest.relativePath() for the missing encoded forms (including uppercase %2E variants).

Fixes #9451

Problem

HttpUrl.resolve() left ..%2e and %2e.. in the encoded path instead of collapsing them. Code that validates encodedPath() against a prefix (e.g. /static/) could be bypassed when downstream components percent-decode %2e later.

Test plan

  • ./gradlew :okhttp:jvmTest --tests "okhttp3.HttpUrlTest.relativePath"
  • Verify base.resolve("..%2e") and base.resolve("%2e..") normalize to the parent path instead of leaving literal encoded segments

Made with Cursor

@cursoragent
Fix isDotDot to recognize ..%2e and %2e.. path segments
cb7cbaa 
HttpUrl.resolve() left ..%2e and %2e.. in the encoded path instead of
normalizing them like other percent-encoded dot-dot forms. This could
bypass path-prefix sandbox checks that rely on encodedPath().

Fixes square#9451

Co-authored-by: Cursor <cursoragent@cursor.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

HttpUrl.isDotDot misses '..%2e' and '%2e..' forms — path-traversal sandbox bypass

1 participant

@leno23