Skip to content

Commit

Permalink
Merge pull request from GHSA-pgh6-m65r-2rhq
Browse files Browse the repository at this point in the history
* fix redirect injection

* remove console.log

* fix extra case
  • Loading branch information
Eomm authored Oct 11, 2021
1 parent bbdf96f commit c31f17d
Show file tree
Hide file tree
Showing 2 changed files with 24 additions and 4 deletions.
20 changes: 17 additions & 3 deletions index.js
Original file line number Diff line number Diff line change
Expand Up @@ -152,7 +152,11 @@ async function fastifyStatic (fastify, opts) {
}

if (opts.redirect === true) {
reply.redirect(301, getRedirectUrl(request.raw.url))
try {
reply.redirect(301, getRedirectUrl(request.raw.url))
} catch (error) {
reply.send(error)
}
} else {
reply.callNotFound()
}
Expand Down Expand Up @@ -443,8 +447,18 @@ function getEncodingExtension (encoding) {
}

function getRedirectUrl (url) {
const parsed = new URL(url, 'http://localhost.com/')
return parsed.pathname + (parsed.pathname[parsed.pathname.length - 1] !== '/' ? '/' : '') + (parsed.search || '')
if (url.startsWith('//') || url.startsWith('/\\')) {
// malicous redirect
return '/'
}
try {
const parsed = new URL(url, 'http://localhost.com/')
return parsed.pathname + (parsed.pathname[parsed.pathname.length - 1] !== '/' ? '/' : '') + (parsed.search || '')
} catch (error) {
const err = new Error(`Invalid redirect URL: ${url}`)
err.statusCode = 400
throw err
}
}

module.exports = fp(fastifyStatic, {
Expand Down
8 changes: 7 additions & 1 deletion test/static.test.js
Original file line number Diff line number Diff line change
Expand Up @@ -3283,8 +3283,14 @@ t.test(
}
)

t.test('should not redirect to protocol-relative locations', { only: 1 }, (t) => {
t.test('should not redirect to protocol-relative locations', (t) => {
const urls = [
['//^/..', '/', 301],
['//^/.', null, 404], // it is NOT recognized as a directory by pillarjs/send
['//:/..', '/', 301],
['/\\\\a//google.com/%2e%2e%2f%2e%2e', '/', 301],
['//a//youtube.com/%2e%2e%2f%2e%2e', '/', 301],
['/^', null, 404], // it is NOT recognized as a directory by pillarjs/send
['//google.com/%2e%2e', '/', 301],
['//users/%2e%2e', '/', 301],
['//users', null, 404]
Expand Down

0 comments on commit c31f17d

Please sign in to comment.