Merge pull request #64 from namecheap/fix/redirect-vulnerability-yet-…

…another-case fix: yet another case when redirect passes through due to url malformation
namecheap · Oct 21, 2024 · e636912 · e636912
2 parents 50d5290 + 8a7a6e6
commit e636912
Show file tree

Hide file tree

Showing 4 changed files with 13 additions and 6 deletions.
diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -1,6 +1,6 @@
 {
   "name": "ilc-sdk",
-  "version": "5.2.1",
+  "version": "5.2.4",
   "description": "SDK for app development with Isomorphic Layout Composer",
   "main": "dist/server/index.js",
   "types": "dist/server/index.d.ts",

diff --git a/src/app/utils/parseAsFullyQualifiedURI.ts b/src/app/utils/parseAsFullyQualifiedURI.ts
@@ -1,12 +1,12 @@
 export default function parseAsFullyQualifiedURI(uri: string) {
     let origin = '';
     try {
+        // Normalize multiple slashes to a single slash, but don't affect the initial "http://" or "https://"
+        uri = uri.replace(/([^:])\/{2,}/g, '$1/');
+
         const urlObj = new URL(uri);
         origin = urlObj.origin;
 
-        // Apply replacement only to the pathname, leaving the rest (search, hash) intact
-        urlObj.pathname = urlObj.pathname.replace(/\/{2,}/g, '/');
-
         uri = urlObj.pathname + urlObj.search + urlObj.hash;
     } catch {}
 

diff --git a/test/app/IlcIntl.spec.ts b/test/app/IlcIntl.spec.ts
@@ -199,6 +199,13 @@ describe('IlcIntl', () => {
             });
         });
 
+        it('returns locale with normalized route when multiple slashes are present', () => {
+            expect(IlcIntl.parseUrl(baseConfig, '/es///tst.com')).to.eql({
+                cleanUrl: '/tst.com',
+                locale: 'es-ES',
+            });
+        });
+
         it('returns locale with default culture when no culture present in the route', () => {
             expect(IlcIntl.parseUrl(baseConfig, '/es-MX/tst')).to.eql({
                 cleanUrl: '/tst',