Skip to content

fix: normalize referer before redirect#1909

Merged
fengmk2 merged 1 commit intov2.xfrom
fix-GHSA-g8mr-fgfg-5qpc-for-v2
Oct 18, 2025
Merged

fix: normalize referer before redirect#1909
fengmk2 merged 1 commit intov2.xfrom
fix-GHSA-g8mr-fgfg-5qpc-for-v2

Conversation

@fengmk2
Copy link
Member

@fengmk2 fengmk2 commented Oct 18, 2025
edited
Loading

pick from #1908

@fengmk2 fengmk2 requested a review from Copilot October 18, 2025 14:28
@fengmk2 fengmk2 added the bug label Oct 18, 2025
@fengmk2 fengmk2 merged commit 7af5268 into v2.x Oct 18, 2025
13 checks passed
Copilot AI reviewed Oct 18, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR addresses a security issue by normalizing and validating the referrer before performing a "back" redirect to prevent scheme-relative URLs (e.g., //evil.com) from causing open redirects.

  • Removes the naive early-return for referrers starting with "/" so all referrer values are resolved against the request origin and validated as same-origin.
  • Updates tests to set the host explicitly, adds a test for the double-slash scheme-relative URL case, and removes a test for the "Referer" header variant.

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
lib/response.js Removes early return for relative referrers to ensure same-origin validation via URL parsing.
tests/response/redirect.js Updates test setup to include host, adds a test for scheme-relative referrer, and removes test for the "Referer" header variant.

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

lib/response.js
@@ -243,11 +243,6 @@ module.exports = {
_getBackReferrer() {
const referrer = this.ctx.get('Referrer');
Copy link

Copilot AI Oct 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Only reading the 'Referrer' header misses the de facto standard HTTP header 'Referer'. To maintain compatibility with real-world clients and browsers, read both headers, for example: const referrer = this.ctx.get('Referrer') || this.ctx.get('Referer');

Suggested change
const referrer = this.ctx.get('Referrer');
const referrer = this.ctx.get('Referrer') || this.ctx.get('Referer');

Copilot uses AI. Check for mistakes.
__tests__/response/redirect.js
Comment on lines +86 to +89
assert.equal(ctx.response.header.location, '/');

ctx.redirect('back', '/home');
assert.equal(ctx.response.header.location, '/home');
Copy link

Copilot AI Oct 18, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Use assert.strictEqual for consistency with the rest of the file and to avoid loose equality: replace assert.equal(...) with assert.strictEqual(...).

Suggested change
assert.equal(ctx.response.header.location, '/');
ctx.redirect('back', '/home');
assert.equal(ctx.response.header.location, '/home');
assert.strictEqual(ctx.response.header.location, '/');
ctx.redirect('back', '/home');
assert.strictEqual(ctx.response.header.location, '/home');

Copilot uses AI. Check for mistakes.
@fengmk2 fengmk2 deleted the fix-GHSA-g8mr-fgfg-5qpc-for-v2 branch October 18, 2025 14:30
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@fengmk2