net/url: fix JoinPath to clean percent-encoded dot-dot traversals

[mohammadmseet-hue]

JoinPath and (*URL).JoinPath document that:

The result is cleaned of any ./ or ../ elements.

This guarantee fails for percent-encoded variants of traversal
sequences. path.Join only recognises the literal tokens "." and
".." so it treats "..%2Fadmin" as an opaque single filename. When
setPath later decodes the percent-encoding, URL.Path contains an
unresolved "../" traversal.

Concrete example:

u, _ := url.JoinPath("https://example.com/v1/", "..%2Fadmin")
parsed, _ := url.Parse(u)
// parsed.Path = "/v1/../admin"  -- traversal NOT cleaned

All five encoding variants are affected:

"..%2Fadmin"      =>  /v1/../admin
"%2E%2E/admin"    =>  /v1/../admin
"%2E%2E%2Fadmin"  =>  /v1/../admin
".%2E%2Fadmin"    =>  /v1/../admin
"%2E.%2Fadmin"    =>  /v1/../admin

This enables auth bypass in any Go application that uses JoinPath
to build a URL from untrusted user input and enforces access
control based on a path prefix:

target, _ := url.JoinPath(upstream, "/api/v1/", userInput)
// userInput = "..%2F..%2Finternal%2Fsecrets"
// target.Path = "/api/v1/../../internal/secrets"
// ACL check passes (starts with /api/v1/)
// After router resolution: /internal/secrets

Fix: decode each caller-supplied element with PathUnescape before
joining so that path.Join can see and clean the real traversal
tokens, then re-encode each decoded segment with PathEscape so the
result round-trips correctly. The base URL's own escaped path is
left unchanged.

Added five new test cases covering all encoding variants.

Fixes #78564

[google-cla]

Thanks for your pull request! It looks like this may be your first contribution to a Google open source project. Before we can look at your pull request, you'll need to sign a Contributor License Agreement (CLA).

View this failed invocation of the CLA check for more information.

For the most up to date status, view the checks section at the bottom of the pull request.

[gopherbot]

This PR (HEAD: f1c328c) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/go/+/763541.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Gopher Robot:

Patch Set 1:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/763541.
After addressing review feedback, remember to publish your drafts!

[gopherbot]

This PR (HEAD: 0f7d6d3) has been imported to Gerrit for code review.

Please visit Gerrit at https://go-review.googlesource.com/c/go/+/763541.

Important tips:

• Don't comment on this PR. All discussion takes place in Gerrit.
• You need a Gmail or other Google account to log in to Gerrit.
• To change your code in response to feedback:
  • Push a new commit to the branch used by your GitHub PR.
  • A new "patch set" will then appear in Gerrit.
  • Respond to each comment by marking as Done in Gerrit if implemented as suggested. You can alternatively write a reply.
  • Critical: you must click the blue Reply button near the top to publish your Gerrit responses.
  • Multiple commits in the PR will be squashed by GerritBot.
• The title and description of the GitHub PR are used to construct the final commit message.
  • Edit these as needed via the GitHub web interface (not via Gerrit or git).
  • You should word wrap the PR description at ~76 characters unless you need longer lines (e.g., for tables or URLs).
• See the Sending a change via GitHub and Reviews sections of the Contribution Guide as well as the FAQ for details.

[gopherbot]

Message from Mohammad Seet:

Patch Set 2:

(1 comment)

---

Please don’t reply on this GitHub thread. Visit golang.org/cl/763541.
After addressing review feedback, remember to publish your drafts!