Validate redirect locations (v6) (#14707)

Author: brophdawg11

.changeset/loud-ways-float.md

@@ -0,0 +1,5 @@
+---
+"@remix-run/router": patch
+---
+
+Validate redirect locations

package.json

@@ -105,7 +105,7 @@
   },
   "filesize": {
     "packages/router/dist/router.umd.min.js": {
-      "none": "58.1 kB"
+      "none": "58.2 kB"
     },
     "packages/react-router/dist/react-router.production.min.js": {
       "none": "16.52 kB"

packages/router/router.ts

@@ -1783,7 +1783,8 @@ export function createRouter(init: RouterInit): Router {
         let location = normalizeRedirectLocation(
           result.response.headers.get("Location")!,
           new URL(request.url),
-          basename
+          basename,
+          init.history,
         );
         replace = location === state.location.pathname + state.location.search;
       }
@@ -2695,7 +2696,8 @@ export function createRouter(init: RouterInit): Router {
     location = normalizeRedirectLocation(
       location,
       new URL(request.url),
-      basename
+      basename,
+      init.history,
     );
     let redirectLocation = createLocation(state.location, location, {
       _isRedirect: true,
@@ -5154,19 +5156,47 @@ function normalizeRelativeRoutingRedirectResponse(
 function normalizeRedirectLocation(
   location: string,
   currentUrl: URL,
-  basename: string
+  basename: string,
+  historyInstance: History,
 ): string {
+  // Match Chrome's behavior:
+  // https://github.com/chromium/chromium/blob/216dbeb61db0c667e62082e5f5400a32d6983df3/content/public/common/url_utils.cc#L82
+  let invalidProtocols = [
+    "about:",
+    "blob:",
+    "chrome:",
+    "chrome-untrusted:",
+    "content:",
+    "data:",
+    "devtools:",
+    "file:",
+    "filesystem:",
+    // eslint-disable-next-line no-script-url
+    "javascript:",
+  ];
+
   if (ABSOLUTE_URL_REGEX.test(location)) {
     // Strip off the protocol+origin for same-origin + same-basename absolute redirects
     let normalizedLocation = location;
     let url = normalizedLocation.startsWith("//")
       ? new URL(currentUrl.protocol + normalizedLocation)
       : new URL(normalizedLocation);
+    if (invalidProtocols.includes(url.protocol)) {
+      throw new Error("Invalid redirect location");
+    }
     let isSameBasename = stripBasename(url.pathname, basename) != null;
     if (url.origin === currentUrl.origin && isSameBasename) {
       return url.pathname + url.search + url.hash;
     }
   }
+
+  try {
+    let url = historyInstance.createURL(location);
+    if (invalidProtocols.includes(url.protocol)) {
+      throw new Error("Invalid redirect location");
+    }
+  } catch (e) {}
+
   return location;
 }