Are URL objects guaranteed to sanitize path traversal attacks?

[Qix-]

I noticed today that new URL(...) will sanitize paths that attempt to traverse above the root of the URL's base path (i.e. a path traversal attack).

console.log(new URL('https://foo.com/../../../foo.png').pathname); //-> /foo.png

I can't find any docs mentioning this and a cursory search reveals nothing mentioning this from a security perspective. Was this always the behavior? If so, is this specified somewhere so that it's guaranteed to be the case in the future? Are there caveats to this behavior?

Thanks for any information!

[jasnell]

The new URL() object is an implementation of the WHATWG URL Standard. The parsing algorithm is fairly complex but, yes, it has always included normalization of the URL during parse. There's no security discussion in that spec as it deals specifically with parsing and serialization and not with the use of those URLs which is a separate issue.

[Qix-]

Gotcha okay, according to the spec then URL objects inherently protected against double-dot traversal attacks since .. triggers Shorten behavior, which states in step 2 that if the path is already empty then to return.

Will still be defensive about it but it's good to know! Thanks for the link :)