Fix XSS issue by not using URI.join

2017-01-29 15:31:13 -06:00 · 2017-01-29 15:31:13 -06:00 · 5bf22606ef
parent 27f2ca9418
commit 5bf22606ef
1 changed files with 1 additions and 2 deletions
--- a/app/models/environment.rb
+++ b/app/models/environment.rb
@ -185,8 +185,7 @@ class Environment < ActiveRecord::Base
    public_path = project.public_path_for_source_path(path, commit_sha)
    return unless public_path

-    # TODO: Verify this can't be used for XSS
-    URI.join(external_url, public_path).to_s
+    [external_url, public_path].join('/')
  end

  private