Normalize URLs first before checking for UNC path

[email protected]

Fixed: 468027781
Change-Id: I8d7c602657e45a8110e695ab4a91b9c4ef6f62aa
Reviewed-on: https://chromium-review.googlesource.com/c/devtools/devtools-frontend/+/7255782
Commit-Queue: Benedikt Meurer <[email protected]>
Reviewed-by: Benedikt Meurer <[email protected]>
Auto-Submit: Simon Zünd <[email protected]>

Author: szuend

front_end/core/host/ResourceLoader.ts

@@ -206,7 +206,7 @@ async function fetchToString(url: string): Promise<string> {
 
 function canBeRemoteFilePath(url: string): boolean {
   try {
-    const urlObject = new URL(url);
+    const urlObject = new URL(new URL(url).toString());  // Normalize first.
     return urlObject.protocol === 'file:' && urlObject.host !== '';
   } catch {
     return false;

front_end/core/sdk/PageResourceLoader.test.ts

@@ -204,6 +204,20 @@ describe('PageResourceLoader', () => {
     assert.include(message, 'remote file');
   });
 
+  it('blocks UNC file paths with path traversal on Windows with the default setting', async () => {
+    if (!Host.Platform.isWin()) {
+      return;
+    }
+
+    const {loader} = setup({maxConcurrentLoads: 1});
+
+    const message =
+        await loader.loadResource(urlString`file:///abc\\..//smb-server/share/source-map.js.map'`, initiator)
+            .catch(e => e.message);
+
+    assert.include(message, 'remote file');
+  });
+
   it('allows remote file paths with the setting enabled', async () => {
     const {loader, settings} = setup({maxConcurrentLoads: 1});
     sinon.stub(Host.InspectorFrontendHost.InspectorFrontendHostInstance, 'loadNetworkResource')