Support for path traversal

packages/core/src/url.ts

@@ -38,10 +38,11 @@ export function mergeDataIntoQueryString(
   const hasHost = /^[a-z][a-z0-9+.-]*:\/\//i.test(href.toString())
   const hasAbsolutePath = hasHost || href.toString().startsWith('/')
   const hasRelativePath = !hasAbsolutePath && !href.toString().startsWith('#') && !href.toString().startsWith('?')
+  const hasRelativePathWithDotPrefix = /^[.]{1,2}([/]|$)/.test(href.toString())
   const hasSearch = href.toString().includes('?') || (method === 'get' && Object.keys(data).length)
   const hasHash = href.toString().includes('#')
 
-  const url = new URL(href.toString(), 'http://localhost')
+  const url = new URL(href.toString(), typeof window === 'undefined' ? 'http://localhost' : window.location.toString())
 
   if (method === 'get' && Object.keys(data).length) {
     const parseOptions = { ignoreQueryPrefix: true, parseArrays: false }
@@ -59,7 +60,7 @@ export function mergeDataIntoQueryString(
     [
       hasHost ? `${url.protocol}//${url.host}` : '',
       hasAbsolutePath ? url.pathname : '',
-      hasRelativePath ? url.pathname.substring(1) : '',
+      hasRelativePath ? url.pathname.substring(hasRelativePathWithDotPrefix ? 0 : 1) : '',
       hasSearch ? url.search : '',
       hasHash ? url.hash : '',
     ].join(''),

packages/react/test-app/Pages/Links/PathTraversal.jsx

@@ -0,0 +1,17 @@
+import { Link } from '@inertiajs/react'
+
+export default () => {
+  return (
+    <div>
+      <Link href="../">
+        Up one level
+      </Link>
+      <Link href="../../method">
+        Up two levels and open method
+      </Link>
+      <Link href="../../../">
+        Up three levels
+      </Link>
+    </div>
+  )
+}

packages/svelte/test-app/Pages/Links/PathTraversal.svelte

@@ -0,0 +1,17 @@
+<script>
+  import { inertia } from '@inertiajs/svelte'
+</script>
+
+<div class="space-y-2">
+  <a use:inertia href="../">
+    Up one level
+  </a>
+
+  <a use:inertia href="../../method">
+    Up two levels and open method
+  </a>
+
+  <a use:inertia href="../../../">
+    Up three levels
+  </a>
+</div>

packages/vue3/test-app/Pages/Links/PathTraversal.vue

@@ -0,0 +1,11 @@
+<script setup>
+import { Link } from '@inertiajs/vue3'
+</script>
+
+<template>
+  <div>
+    <Link href="../"> Up one level </Link>
+    <Link href="../../method"> Up two levels and open method </Link>
+    <Link href="../../../"> Up three levels </Link>
+  </div>
+</template>

tests/app/server.js

@@ -81,6 +81,8 @@ app.get('/links/headers/version', (req, res) =>
 )
 app.get('/links/data-loading', (req, res) => inertia.render(req, res, { component: 'Links/DataLoading' }))
 app.get('/links/prop-update', (req, res) => inertia.render(req, res, { component: 'Links/PropUpdate' }))
+app.get('/links/sub', (req, res) => inertia.render(req, res, { component: 'Links/PathTraversal' }))
+app.get('/links/sub/sub', (req, res) => inertia.render(req, res, { component: 'Links/PathTraversal' }))
 
 app.get('/client-side-visit', (req, res) =>
   inertia.render(req, res, {

tests/links.spec.ts

@@ -830,3 +830,26 @@ test('will update href if prop is updated', async ({ page }) => {
   await button.click()
   await expect(link).toHaveAttribute('href', /\/something-else$/)
 })
+
+test.describe('path traversal', () => {
+  test('it goes one level up', async ({ page }) => {
+    await page.goto('/links/sub/sub/')
+
+    await page.getByRole('link', { name: 'Up one level' }).click()
+    await expect(page).toHaveURL('/links/sub/')
+  })
+
+  test('it goes two levels up with a new path', async ({ page }) => {
+    await page.goto('/links/sub/sub/')
+
+    await page.getByRole('link', { name: 'Up two levels and open method' }).click()
+    await expect(page).toHaveURL('/links/method')
+  })
+
+  test('it goes three levels up', async ({ page }) => {
+    await page.goto('/links/sub/sub/')
+
+    await page.getByRole('link', { name: 'Up three levels' }).click()
+    await expect(page).toHaveURL('/')
+  })
+})