Skip to content

fix(route-rules): prevent open redirect via protocol-relative url bypass #4236

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
pi0 merged 4 commits into from
Apr 29, 2026
Merged

fix(route-rules): prevent open redirect via protocol-relative url bypass #4236

Show file tree
Hide file tree
Changes from 2 commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
b4bd26c
fix(route-rules): prevent open redirect via protocol-relative url bypass
pi0 Apr 29, 2026
16f3230
add test for proxy too
pi0 Apr 29, 2026
eda1818
update ufo
pi0 Apr 29, 2026
9bd19a9
update snapshots
pi0 Apr 29, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 11 additions & 2 deletions src/runtime/internal/route-rules.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -32,7 +32,7 @@ export const redirect: RouteRuleCtor<"redirect"> = ((m) =>
if (!isPathInScope(event.url.pathname, strpBase)) {
throw new HTTPError({ status: 400 });
}
targetPath = withoutBase(targetPath, strpBase);
targetPath = collapseLeadingSlashes(withoutBase(targetPath, strpBase));
}
target = joinURL(target.slice(0, -3), targetPath);
} else if (event.url.search) {
Expand All @@ -55,7 +55,7 @@ export const proxy: RouteRuleCtor<"proxy"> = ((m) =>
if (!isPathInScope(event.url.pathname, strpBase)) {
throw new HTTPError({ status: 400 });
}
targetPath = withoutBase(targetPath, strpBase);
targetPath = collapseLeadingSlashes(withoutBase(targetPath, strpBase));
}
target = joinURL(target.slice(0, -3), targetPath);
} else if (event.url.search) {
Expand Down Expand Up @@ -121,3 +121,12 @@ export function isPathInScope(pathname: string, base: string): boolean {
}
return !base || canonical === base || canonical.startsWith(base + "/");
}

// Collapse any leading run of slashes to a single slash. After `withoutBase`
// strips the wildcard prefix, a request like `/legacy//evil.com` leaves
// `//evil.com`, which `joinURL("", "//evil.com")` would emit verbatim and the
// browser would interpret as a protocol-relative URL pointing at an external
// host (GHSA-9phm-9p8f-hw5m).
function collapseLeadingSlashes(path: string): string {
return path.startsWith("//") ? path.replace(/^\/+/, "/") : path;
}
2 changes: 2 additions & 0 deletions test/fixture/nitro.config.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -111,13 +111,15 @@ export default defineConfig({
redirect: { to: "https://nitro.build/", status: 308 },
},
"/rules/redirect/wildcard/**": { redirect: "https://nitro.build/**" },
"/rules/redirect/legacy/**": { redirect: "/**" },
"/rules/nested/**": { redirect: "/base", headers: { "x-test": "test" } },
"/rules/nested/override": { redirect: { to: "/other" } },
"/rules/_/noncached/cached": { swr: true },
"/rules/_/noncached/**": { swr: false, cache: false, isr: false },
"/rules/_/cached/noncached": { cache: false, swr: false, isr: false },
"/rules/_/cached/**": { swr: true },
"/api/proxy/**": { proxy: "/api/echo" },
"/rules/proxy/legacy/**": { proxy: "/api/wildcard/**" },
"/cdn/**": { proxy: "https://cdn.jsdelivr.net/**" },
"/rules/basic-auth/**": {
basicAuth: { username: "admin", password: "secret", realm: "Secure Area" },
Expand Down
18 changes: 18 additions & 0 deletions test/tests.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -317,6 +317,15 @@ export function testNitro(
});
expect(wildcard.status).toBe(307);
expect(wildcard.headers.location).toBe("https://nitro.build/nuxt");

// Regression test for GHSA-9phm-9p8f-hw5m: a leading `//` after the
// wildcard prefix must not be forwarded as a protocol-relative URL.
const legacy = await callHandler({
url: "/rules/redirect/legacy//evil.com",
});
expect(legacy.status).toBe(307);
expect(legacy.headers.location).not.toMatch(/^\/\//);
expect(legacy.headers.location).toBe("/evil.com");
Comment on lines +321 to +328

@coderabbitai coderabbitai Bot Apr 29, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🛠️ Refactor suggestion | 🟠 Major

Please add the equivalent proxy regression.

The runtime change hardens proxy alongside redirect, but this test only covers the redirect path. A matching proxy fixture/assertion would keep the second security-sensitive branch from regressing silently.

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In `@test/tests.ts` around lines 321 - 328, Add a mirrored regression for the
proxy path: call callHandler with the proxy route that mirrors the redirect test
(e.g. use url "/rules/proxy/legacy//evil.com" similar to the existing redirect
case), capture the response (name it like proxy), assert the status matches the
expected proxy status (same as redirect, e.g. 307), and add the same header
checks on proxy.headers.location — assert it does not match /^\/\// and equals
"/evil.com" so the proxy branch is covered by the same security regression test;
place the new assertions alongside the existing redirect assertions in the same
test block referencing callHandler and proxy (or proxyResponse) to locate the
change.

});

it("binary response", async () => {
Expand Down Expand Up @@ -569,6 +578,15 @@ export function testNitro(
}
});

it("runtime proxy collapses leading slashes after wildcard prefix", async () => {
// Regression test for GHSA-9phm-9p8f-hw5m: a leading `//` after the
// wildcard prefix must not be forwarded verbatim to the upstream.
const { data } = await callHandler({
url: "/rules/proxy/legacy//evil.com",
});
expect(data).toBe("evil.com");
});

it("external proxy", async () => {
const { data, headers, status } = await callHandler({
url: "/cdn/npm/bootstrap@5.3.8/dist/js/bootstrap.min.js",
Expand Down
Loading