[PR #280] [MERGED] fix: sanitize redirect destination in generated worker entry #439

New issue

Closed

opened 2026-05-06 12:39:49 +02:00 by BreizhHardware · 0 comments

BreizhHardware commented

2026-05-06 12:39:49 +02:00

Owner

📋 Pull Request Information

Original PR: https://github.com/cloudflare/vinext/pull/280
Author: @southpolesteve
Created: 3/6/2026
Status: ✅ Merged
Merged: 3/6/2026
Merged by: @southpolesteve

Base: main ← Head: fix/deploy-redirect-sanitization

📝 Commits (1)

3b61c86 fix: sanitize redirect destination in generated worker entry

📊 Changes

1 file changed (+6 additions, -3 deletions)

View changed files

📝 packages/vinext/src/deploy.ts (+6 -3)

📄 Description

Summary

The generated Pages Router worker entry (generatePagesRouterWorkerEntry) was not wrapping the final redirect destination in sanitizeDestination(), unlike the equivalent code in prod-server.ts
Added sanitizeDestination to the imports from vinext/config/config-matchers in the generated worker template
Wrapped the redirect destination computation in sanitizeDestination() to normalize protocol-relative URLs (e.g. //evil.com becomes /evil.com) before setting the Location header

This brings the generated worker entry in line with prod-server.ts which already applies this normalization.

_{🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.}

## 📋 Pull Request Information **Original PR:** https://github.com/cloudflare/vinext/pull/280 **Author:** [@southpolesteve](https://github.com/southpolesteve) **Created:** 3/6/2026 **Status:** ✅ Merged **Merged:** 3/6/2026 **Merged by:** [@southpolesteve](https://github.com/southpolesteve) **Base:** `main` ← **Head:** `fix/deploy-redirect-sanitization` --- ### 📝 Commits (1) - [`3b61c86`](https://github.com/cloudflare/vinext/commit/3b61c8632187d880b6de24b725ccf8cfa0ded5b6) fix: sanitize redirect destination in generated worker entry ### 📊 Changes **1 file changed** (+6 additions, -3 deletions) <details> <summary>View changed files</summary> 📝 `packages/vinext/src/deploy.ts` (+6 -3) </details> ### 📄 Description ## Summary - The generated Pages Router worker entry (`generatePagesRouterWorkerEntry`) was not wrapping the final redirect destination in `sanitizeDestination()`, unlike the equivalent code in `prod-server.ts` - Added `sanitizeDestination` to the imports from `vinext/config/config-matchers` in the generated worker template - Wrapped the redirect destination computation in `sanitizeDestination()` to normalize protocol-relative URLs (e.g. `//evil.com` becomes `/evil.com`) before setting the `Location` header This brings the generated worker entry in line with `prod-server.ts` which already applies this normalization. --- <sub>🔄 This issue represents a GitHub Pull Request. It cannot be merged through Gitea due to API limitations.</sub>