[PR #92] [MERGED] fix: sanitize redirect destinations and digest parsing #302

New issue

Closed

opened 2026-05-06 12:39:04 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:39:04 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/92
Author: @southpolesteve
Created: 2/26/2026
Status: ✅ Merged
Merged: 2/26/2026
Merged by: @southpolesteve

Base: main ← Head: fix/redirect-sanitization

📝 Commits (1)

8aab152 fix: sanitize redirect destinations and digest parsing

📊 Changes

6 files changed (+191 additions, -21 deletions)

View changed files

📝 packages/vinext/src/config/config-matchers.ts (+29 -0)
📝 packages/vinext/src/index.ts (+14 -0)
📝 packages/vinext/src/server/app-dev-server.ts (+26 -14)
📝 packages/vinext/src/server/prod-server.ts (+7 -4)
📝 packages/vinext/src/shims/navigation.ts (+2 -2)
📝 tests/shims.test.ts (+113 -1)

📄 Description

Summary

Prevents protocol-relative URLs in redirect destinations by normalizing double slashes. After parameter substitution, a catch-all redirect like /:path* can produce //evil.com when the captured segment starts with / (from a decoded %2F). A new sanitizeDestination() function collapses leading // to / for non-external URLs.
Fixes redirect digest parsing to handle URLs containing semicolons. The NEXT_REDIRECT;type;url;status digest format uses ; as a delimiter, so URLs with semicolons would corrupt the parsed fields. The URL is now encodeURIComponent-encoded when creating the digest and decoded when parsing it.

Applied consistently across all entry points (App Router dev, Pages Router dev/prod, config matchers).

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/92 **Author:** [@southpolesteve](https://github.com/southpolesteve) **Created:** 2/26/2026 **Status:** ✅ Merged **Merged:** 2/26/2026 **Merged by:** [@southpolesteve](https://github.com/southpolesteve) **Base:** `main` ← **Head:** `fix/redirect-sanitization` --- ### 📝 Commits (1) - [`8aab152`](https://github.com/cloudflare/vinext/commit/8aab152354c5aeb8d8854821df189c2d1fde84be) fix: sanitize redirect destinations and digest parsing ### 📊 Changes **6 files changed** (+191 additions, -21 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/config/config-matchers.ts` (+29 -0) 📝 `packages/vinext/src/index.ts` (+14 -0) 📝 `packages/vinext/src/server/app-dev-server.ts` (+26 -14) 📝 `packages/vinext/src/server/prod-server.ts` (+7 -4) 📝 `packages/vinext/src/shims/navigation.ts` (+2 -2) 📝 `tests/shims.test.ts` (+113 -1) </details> ### 📄 Description ## Summary - Prevents protocol-relative URLs in redirect destinations by normalizing double slashes. After parameter substitution, a catch-all redirect like `/:path*` can produce `//evil.com` when the captured segment starts with `/` (from a decoded `%2F`). A new `sanitizeDestination()` function collapses leading `//` to `/` for non-external URLs. - Fixes redirect digest parsing to handle URLs containing semicolons. The `NEXT_REDIRECT;type;url;status` digest format uses `;` as a delimiter, so URLs with semicolons would corrupt the parsed fields. The URL is now `encodeURIComponent`-encoded when creating the digest and decoded when parsing it. Applied consistently across all entry points (App Router dev, Pages Router dev/prod, config matchers). --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>