path,path/filepath: add Join examples with ".." components

People sometimes expect Join to trim .. components from its arguments before joining, and are surprised that it doesn't. This is bad if they were relying on that assumed behaviour to prevent directory traversal attacks. While a careful reading of the documentation for Join and Clean might dispel this notion, it is not obvious at first glance. Add a case to the examples to nudge people in the right direction. Updates #40373 Change-Id: Ib5792c12ba1000811a0c0eb77048196d0b26da60 Reviewed-on: https://go-review.googlesource.com/c/go/+/249177 Run-TryBot: Ian Lance Taylor <iant@golang.org> Reviewed-by: Ian Lance Taylor <iant@golang.org> Reviewed-by: Rob Pike <r@golang.org>
2020-07-24 12:48:30 -07:00 · 2020-07-24 12:48:30 -07:00 · 98a0071a53
parent 0941fc3f9f
commit 98a0071a53
2 changed files with 9 additions and 0 deletions
--- a/src/path/example_test.go
+++ b/src/path/example_test.go
@ -79,13 +79,18 @@ func ExampleJoin() {
 	fmt.Println(path.Join("a", "b", "c"))
 	fmt.Println(path.Join("a", "b/c"))
 	fmt.Println(path.Join("a/b", "c"))
+
+	fmt.Println(path.Join("a/b", "../../../xyz"))
+
 	fmt.Println(path.Join("", ""))
 	fmt.Println(path.Join("a", ""))
 	fmt.Println(path.Join("", "a"))
+
 	// Output:
 	// a/b/c
 	// a/b/c
 	// a/b/c
+	// ../xyz
 	//
 	// a
 	// a
--- a/src/path/filepath/example_unix_test.go
+++ b/src/path/filepath/example_unix_test.go
@ -72,12 +72,16 @@ func ExampleJoin() {
 	fmt.Println(filepath.Join("a", "b/c"))
 	fmt.Println(filepath.Join("a/b", "c"))
 	fmt.Println(filepath.Join("a/b", "/c"))
+
+	fmt.Println(filepath.Join("a/b", "../../../xyz"))
+
 	// Output:
 	// On Unix:
 	// a/b/c
 	// a/b/c
 	// a/b/c
 	// a/b/c
+	// ../xyz
 }

 func ExampleMatch() {