From 5bf22606efa37f88a0f440205ff013d20227bd5e Mon Sep 17 00:00:00 2001
From: Douwe Maan <douwe@selenight.nl>
Date: Sun, 29 Jan 2017 15:31:13 -0600
Subject: [PATCH] Fix XSS issue by not using URI.join

---
 app/models/environment.rb | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/app/models/environment.rb b/app/models/environment.rb
index 909249dacca..ed18e6bdea1 100644
--- a/app/models/environment.rb
+++ b/app/models/environment.rb
@@ -185,8 +185,7 @@ class Environment < ActiveRecord::Base
     public_path = project.public_path_for_source_path(path, commit_sha)
     return unless public_path
 
-    # TODO: Verify this can't be used for XSS
-    URI.join(external_url, public_path).to_s
+    [external_url, public_path].join('/')
   end
 
   private