fix: sanitization of relative OpenAPI JSON paths (#10528)

Author: heto-soptim

src/core/utils/url.js

@@ -58,11 +58,19 @@ export function sanitizeUrl(url) {
 
     // return sanitized URI reference
     if (urlObject.origin === base) {
-      return urlTrimmed.startsWith("/")
-        ? `${urlObject.pathname}${urlObject.search}${urlObject.hash}`
-        : urlTrimmed.startsWith(".")
-        ? `.${urlObject.pathname}${urlObject.search}${urlObject.hash}`
-        : `${urlObject.pathname.substring(1)}${urlObject.search}${urlObject.hash}`
+      if (urlTrimmed.startsWith("/")) {
+        return `${urlObject.pathname}${urlObject.search}${urlObject.hash}`
+      }
+    
+      if (urlTrimmed.startsWith("./")) {
+        return `.${urlObject.pathname}${urlObject.search}${urlObject.hash}`
+      }
+    
+      if (urlTrimmed.startsWith("../")) {
+        return `..${urlObject.pathname}${urlObject.search}${urlObject.hash}`
+      }
+    
+      return `${urlObject.pathname.substring(1)}${urlObject.search}${urlObject.hash}`
     }
 
     return String(urlObject)

test/unit/core/utils.js

@@ -1449,6 +1449,13 @@ describe("utils", () => {
       expect(sanitizeUrl(url)).toEqual("https://swagger.io/")
     })
 
+    it("should gracefully handle relative paths", () => {
+      expect(sanitizeUrl(".openapi.json")).toEqual(".openapi.json")
+      expect(sanitizeUrl("./openapi.json")).toEqual("./openapi.json")
+      expect(sanitizeUrl("..openapi.json")).toEqual("..openapi.json")
+      expect(sanitizeUrl("../openapi.json")).toEqual("../openapi.json")
+    })
+
     it("should gracefully handle empty strings", () => {
       expect(sanitizeUrl("")).toEqual("")
     })