Fix file extension removal bug when using dot base path (-b .)

hahwul · hahwul · commit 33b8911f26e1 · 2026-01-24T14:41:30.000+09:00
diff --git a/docs/themes/goyo b/docs/themes/goyo
@@ -1 +1 @@
-Subproject commit a0f0f3cd2cf473a8b922aeb4fb255dcef24486c7
+Subproject commit 97a3dcc5c07e7899cd3a82cb4883a34689093907
diff --git a/spec/unit_test/utils/utils_spec.cr b/spec/unit_test/utils/utils_spec.cr
@@ -22,6 +22,25 @@ describe "get_relative_path" do
   it "end with /" do
     get_relative_path("/abcd/", "1.cr").should eq("1.cr")
   end
+
+  # Bug fix: https://github.com/owasp-noir/noir/issues/980
+  # When base_path is ".", file extensions were being removed
+  # because .sub(".", "") matched the "." in ".php"
+  it "dot base path with file extension" do
+    get_relative_path(".", "./test.php").should eq("test.php")
+  end
+
+  it "dot base path with nested path and extension" do
+    get_relative_path(".", "./vulnerabilities/api/echo.php").should eq("vulnerabilities/api/echo.php")
+  end
+
+  it "dot base path without leading ./" do
+    get_relative_path(".", "vulnerabilities/api/echo.php").should eq("vulnerabilities/api/echo.php")
+  end
+
+  it "normal base path preserves extension" do
+    get_relative_path("/home/user/DVWA", "/home/user/DVWA/vulnerabilities/api/echo.php").should eq("vulnerabilities/api/echo.php")
+  end
 end
 
 describe "get_symbol" do
diff --git a/src/utils/utils.cr b/src/utils/utils.cr
@@ -3,14 +3,24 @@ def remove_start_slash(input_path : String) : String
 end
 
 def get_relative_path(base_path : String, path : String) : String
+  # Handle special case where base_path is "." (current directory)
+  # Without this, .sub(".", "") would remove the first "." found anywhere in the path
+  # (e.g., removing the "." from ".php" extension)
+  if base_path == "."
+    return path
+      .sub(/^\.\//, "") # Remove leading "./" only at the start
+      .sub("//", "/")
+      .lstrip('/')
+  end
+
   # Ensure base_path ends with slash for consistent substitution
   base = base_path.ends_with?("/") ? base_path : "#{base_path}/"
 
   # Remove base path and normalize
   relative_path = path
     .sub(base, "")
-    .sub(base_path, "") # Fallback if base doesn't end with /
-    .sub("./", "")
+    .sub(base_path, "")  # Fallback if base doesn't end with /
+    .sub(/^\.\//, "")    # Remove leading "./" only at the start
     .sub("//", "/")
 
   remove_start_slash(relative_path)
