Skip to content

Commit

Permalink
fix: remove consecutive slashes (#3882)
Browse files Browse the repository at this point in the history 
A small middleware who will rewrite potential dual slashes to a single slash.
  • Loading branch information
@kwasniew @ivarconr
kwasniew authored and ivarconr committed May 27, 2023
1 parent 7ef043b commit 9381b1b
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 0 deletions.
5 changes: 5 additions & 0 deletions src/lib/app.ts
View file
Expand Up @@ -66,6 +66,11 @@ export default async function getApp(
app.use(compression());
app.use(cookieParser());

app.use((req, res, next) => {
req.url = req.url.replace(/\/+/g, '/');
next();
});

app.use(
`${baseUriPath}/api/admin/features-batch`,
express.json({ strict: false, limit: '500kB' }),
Expand Down
5 changes: 5 additions & 0 deletions src/test/e2e/api/auth/leading-slashes-are-stripped.e2e.test.ts
View file
Expand Up @@ -29,6 +29,11 @@ afterAll(async () => {
await db.destroy();
});

test('Access to//api/admin/tags are refused no matter how many leading slashes', async () => {
await app.request.get('//api/admin/tags').expect(401);
await app.request.get('////api/admin/tags').expect(401);
});

test('Access to /api/client/features are refused no matter how many leading slashes', async () => {
await app.request.get('/api/client/features').expect(401);
await app.request.get('/////api/client/features').expect(401);
Expand Down

0 comments on commit 9381b1b

Please sign in to comment.