fix: isRelativeURL function logic and edge cases

[mdawoud27]

Proposed changes (including videos or screenshots)

Fixed the isRelativeURL function to correctly identify relative URLs and prevent potential security vulnerabilities.

Changes:

• Updated the regex pattern in isRelativeURL to properly detect absolute URIs with protocol schemes
• The function now correctly returns true for simple relative paths (test, ., ..)
• Correctly returns false for absolute URIs with schemes (data:, javascript:, https:, etc.)
• All test cases now pass, including the three previously failing cases marked with TODO comments

Issue(s)

Fixes #38605

Steps to test or reproduce

1. Run the mocha unit tests:

   cd apps/meteor
   yarn mocha --config .mocharc.js tests/unit/lib/utils/isRelativeURL.spec.ts

2. Verify all test cases pass, particularly:

   • test returns true (simple relative path)
   • . returns true (current directory)
   • .. returns true (parent directory)
   • data:image/gif;base64,... returns false (data URI)
   • javascript:alert(1) returns false (javascript protocol - security)
   • https://rocket.chat returns false (absolute URL)
   • //rocket.chat returns false (protocol-relative URL)

Summary by CodeRabbit

• Bug Fixes

  • Corrected URL detection so relative paths (including plain names, single/double dots, and leading slashes) are recognized as relative while protocol, data, and protocol-relative URLs are treated as non-relative.

• Tests

  • Updated and expanded unit tests to reflect the revised URL relativity rules and cover additional edge cases.

• Chores

  • Added a patch-level changeset entry for release tracking.

[dionisio-bot]

Looks like this PR is not ready to merge, because of the following issues:

• This PR is missing the 'stat: QA assured' label
• This PR is missing the required milestone or project

Please fix the issues and try again

If you have any trouble, please check the PR guidelines

[changeset-bot]

⚠️ No Changeset found

Latest commit: c9b6bfb

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[coderabbitai]

Walkthrough

The isRelativeURL utility was updated to invert its regex logic: it now treats strings with protocol schemes or leading // as non-relative and returns true for simple filenames, ./.., and paths starting with /, ./, or ../. Tests and a changeset were adjusted accordingly.

Changes

Cohort / File(s)	Summary
URL Detection Logic apps/meteor/lib/utils/isRelativeURL.ts	Rewrote regex check to detect absolute URIs (protocol schemes like data:, javascript:, etc.) and //-prefixed URLs, returning the negation to identify relative URLs.
Test Expectations apps/meteor/tests/unit/lib/utils/isRelativeURL.spec.ts	Updated and expanded test cases: '/', 'test', '.', '..', ./*, ../* expected true; protocol and protocol-relative examples like javascript:alert(1) and //rocket.chat expected false; data URL expectation changed to false.
Release Notes .changeset/fix-isrelativeurl-logic.md	Added a patch changeset documenting the fix to isRelativeURL logic and bump for @rocket.chat/meteor.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through regex, found the clue,
Schemes and slashes I now eschew,
Dots and paths can safely play,
Relative routes have won the day,
Sniffing URLs the rabbit way. 🥕

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'fix: isRelativeURL function logic and edge cases' directly matches the main change—fixing the isRelativeURL function's regex logic to handle relative paths and reject absolute URIs.
Linked Issues check	✅ Passed	The PR successfully addresses all coding requirements from #38605: returns true for relative paths (test, ., .., /), rejects absolute URIs with schemes (data:, javascript:, https:), and rejects protocol-relative URLs (//).
Out of Scope Changes check	✅ Passed	All changes are directly scoped to fixing isRelativeURL logic, including implementation updates, corresponding test updates, and a changeset entry—no unrelated modifications present.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

No actionable comments were generated in the recent review. 🎉

📜 Recent review details

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between c9b6bfb and cb2f80a.

📒 Files selected for processing (1)

• .changeset/fix-isrelativeurl-logic.md

🔇 Additional comments (1)

.changeset/fix-isrelativeurl-logic.md (1)

1-5: Looks good.
Clear patch-level changeset with a concise, accurate description.

_{✏️ Tip: You can disable this entire section by setting review_details to false in your review settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cubic-dev-ai]

No issues found across 2 files