fix(utils): prevent open redirect via protocol-relative path in redirectBack()

sanitize referer pathname starting with `//` to avoid browser interpreting it as protocol-relative URL

Author: pi0

src/utils/response.ts

@@ -92,7 +92,11 @@ export function redirectBack(
   if (referer && URL.canParse(referer)) {
     const refererURL = new URL(referer);
     if (refererURL.origin === event.url.origin) {
-      location = refererURL.pathname + (opts.allowQuery ? refererURL.search : "");
+      let pathname = refererURL.pathname;
+      if (pathname.startsWith("//")) {
+        pathname = "/" + pathname.replace(/^\/+/, "");
+      }
+      location = pathname + (opts.allowQuery ? refererURL.search : "");
     }
   }
   return redirect(location, opts.status);

test/utils.test.ts

@@ -109,6 +109,17 @@ describeMatrix("utils", (t, { it, describe, expect }) => {
       expect(res.headers.get("location")).toBe("/");
     });
 
+    it("prevents open redirect via protocol-relative path in referer", async () => {
+      t.app.post("/submit", (event) => redirectBack(event));
+      const baseUrl = t.url || "http://localhost";
+      const res = await t.fetch("/submit", {
+        method: "POST",
+        headers: { referer: `${baseUrl}//evil.com/steal` },
+      });
+      expect(res.headers.get("location")).not.toBe("//evil.com/steal");
+      expect(res.headers.get("location")).toBe("/evil.com/steal");
+    });
+
     it("uses fallback when referer is invalid URL", async () => {
       t.app.post("/submit", (event) => redirectBack(event, { fallback: "/safe" }));
       const res = await t.fetch("/submit", {