Merge pull request #982 from owasp-noir/bug/issue-980

hahwul · web-flow · commit ecde39487c08 · 2026-01-24T18:00:02.000+09:00
Fix file extension removal bug when using dot base path (-b .)
diff --git a/docs/themes/goyo b/docs/themes/goyo
@@ -1 +1 @@
-Subproject commit a0f0f3cd2cf473a8b922aeb4fb255dcef24486c7
+Subproject commit 97a3dcc5c07e7899cd3a82cb4883a34689093907
diff --git a/spec/unit_test/utils/utils_spec.cr b/spec/unit_test/utils/utils_spec.cr
@@ -22,6 +22,25 @@ describe "get_relative_path" do
   it "end with /" do
     get_relative_path("/abcd/", "1.cr").should eq("1.cr")
   end
+
+  # Bug fix: https://github.com/owasp-noir/noir/issues/980
+  # When base_path is ".", file extensions were being removed
+  # because .sub(".", "") matched the "." in ".php"
+  it "dot base path with file extension" do
+    get_relative_path(".", "./test.php").should eq("test.php")
+  end
+
+  it "dot base path with nested path and extension" do
+    get_relative_path(".", "./vulnerabilities/api/echo.php").should eq("vulnerabilities/api/echo.php")
+  end
+
+  it "dot base path without leading ./" do
+    get_relative_path(".", "vulnerabilities/api/echo.php").should eq("vulnerabilities/api/echo.php")
+  end
+
+  it "normal base path preserves extension" do
+    get_relative_path("/home/user/DVWA", "/home/user/DVWA/vulnerabilities/api/echo.php").should eq("vulnerabilities/api/echo.php")
+  end
 end
 
 describe "get_symbol" do
diff --git a/src/utils/utils.cr b/src/utils/utils.cr
@@ -3,14 +3,22 @@ def remove_start_slash(input_path : String) : String
 end
 
 def get_relative_path(base_path : String, path : String) : String
-  # Ensure base_path ends with slash for consistent substitution
-  base = base_path.ends_with?("/") ? base_path : "#{base_path}/"
+  # First, determine the path relative to the base_path, without other normalization.
+  unstripped_path = if base_path == "."
+                      # When base_path is ".", the path is already relative.
+                      # This avoids an issue where `.sub(".", "")` would remove the dot from file extensions.
+                      path
+                    else
+                      # For other base paths, remove the base path prefix.
+                      base = base_path.ends_with?("/") ? base_path : "#{base_path}/"
+                      path
+                        .sub(base, "")
+                        .sub(base_path, "") # Fallback if base doesn't end with /
+                    end
 
-  # Remove base path and normalize
-  relative_path = path
-    .sub(base, "")
-    .sub(base_path, "") # Fallback if base doesn't end with /
-    .sub("./", "")
+  # Then, normalize the resulting path.
+  relative_path = unstripped_path
+    .sub(/^\.\//, "") # Remove leading "./" only at the start
     .sub("//", "/")
 
   remove_start_slash(relative_path)
