[PR #108] [MERGED] fix: dev sanitizeDestination now normalizes leading backslashes #317

New issue

Closed

opened 2026-05-06 12:39:10 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:39:10 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/108
Author: @threepointone
Created: 2/26/2026
Status: ✅ Merged
Merged: 2/26/2026
Merged by: @threepointone

Base: main ← Head: fix/dev-sanitize-destination-backslash

📝 Commits (1)

a224232 fix: dev sanitizeDestination now normalizes leading backslashes

📊 Changes

1 file changed (+1 additions, -1 deletions)

View changed files

📝 packages/vinext/src/server/app-dev-server.ts (+1 -1)

📄 Description

The dev server's __sanitizeDestination only collapsed leading // but ignored leading backslashes (e.g. \evil.com). The prod version in config-matchers.ts already used /^[\\/]+/ to handle both.

This aligns the dev codegen to match, closing a minor open-redirect vector where a rewrite destination starting with \ could be interpreted as a protocol-relative URL by the browser.

Risk: LOW — redirect destinations are developer-configured via next.config.js, and a request-level guard already blocks protocol-relative incoming paths. This fix ensures defense-in-depth parity between dev and prod.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/108 **Author:** [@threepointone](https://github.com/threepointone) **Created:** 2/26/2026 **Status:** ✅ Merged **Merged:** 2/26/2026 **Merged by:** [@threepointone](https://github.com/threepointone) **Base:** `main` ← **Head:** `fix/dev-sanitize-destination-backslash` --- ### 📝 Commits (1) - [`a224232`](https://github.com/cloudflare/vinext/commit/a224232c1c58eb0631403b8038d5e7f14c28634a) fix: dev sanitizeDestination now normalizes leading backslashes ### 📊 Changes **1 file changed** (+1 additions, -1 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/server/app-dev-server.ts` (+1 -1) </details> ### 📄 Description The dev server's `__sanitizeDestination` only collapsed leading `//` but ignored leading backslashes (e.g. `\evil.com`). The prod version in `config-matchers.ts` already used `/^[\\/]+/` to handle both. This aligns the dev codegen to match, closing a minor open-redirect vector where a rewrite destination starting with `\` could be interpreted as a protocol-relative URL by the browser. **Risk: LOW** — redirect destinations are developer-configured via `next.config.js`, and a request-level guard already blocks protocol-relative incoming paths. This fix ensures defense-in-depth parity between dev and prod. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>