Fix open redirect abuse via "strip trailing slash" middleware

Fixes #231.
gruntjs · Sep 9, 2024 · 3c97d3d · 3c97d3d
1 parent be93160
commit 3c97d3d
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 3 deletions.
diff --git a/package.json b/package.json
@@ -26,7 +26,7 @@
     "date-utils": "~1.2.21",
     "ent": "~2.2.0",
     "errorhandler": "~1.5.0",
-    "express": "~4.16.3",
+    "express": "~4.19.2",
     "grunt": "~1.6.1",
     "grunt-autoprefixer": "~3.0.4",
     "grunt-contrib-clean": "~1.1.0",

diff --git a/server.js b/server.js
@@ -35,9 +35,17 @@ app.use(bodyParser.json());
 app.set('views', path.join(__dirname, 'src', 'tmpl'));
 app.set('view engine', 'pug');
 
-// strip slashes
+/**
+ * Strip trailing slashes
+ *
+ * Redirect "/foo/" to "/foo". Browsers interpret absolute paths in Location
+ * as relative to the current origin.
+ *
+ * Avoid redirecting to a paths that browsers may interpret as URLs to other sites,
+ * such as "//foo" or "http://". https://github.com/gruntjs/gruntjs.com/issues/231
+ */
 app.use(function (req, res, next) {
-  if (req.url.substr(-1) === '/' && req.url.length > 1) {
+  if (req.url.startsWith('/') && !req.url.startsWith('//') && req.url.length >= 2 && req.url.slice(-1) === '/') {
     res.redirect(301, req.url.slice(0, -1));
   } else {
     next();