security: sanitize uri

internal/utils/strutils/url.go

@@ -0,0 +1,20 @@
+package strutils
+
+import "path"
+
+// SanitizeURI sanitizes a URI reference to ensure it is safe
+// It disallows URLs beginning with // or /\ as absolute URLs,
+// cleans the URL path to remove any .. or . path elements,
+// and ensures the URL starts with a / if it doesn't already
+func SanitizeURI(uri string) string {
+	if uri == "" {
+		return "/"
+	}
+	if uri[0] != '/' {
+		uri = "/" + uri
+	}
+	if len(uri) > 1 && uri[0] == '/' && uri[1] != '/' && uri[1] != '\\' {
+		return path.Clean(uri)
+	}
+	return "/"
+}