Only match beginning of URL when stripping additional forward slashes

[q0rban]

Prerequisites

• I have written a descriptive issue title
• I have searched existing issues to ensure the bug has not already been reported

Fastify version

2.1.0

Plugin version

No response

Node.js version

16.x

Operating system

Linux

Operating system version (i.e. 20.04, 11.3, 10)

N/A

Description

In #42 a scenario was given where a user might be able to perform an SSRF attack by using a specially crafted URL with two leading forward slashes. The implemented fix has the side effect of stripping all double slashes from the entire request URL.

For example, given the following URL:

https://chicken.com/duck?redirect_uri=//quack-a-doodle-doo.com

The proxy will then strip the additional / off of the URL there.

The slash in a query parameter does not need to be url encoded.

The characters slash ("/") and question mark ("?") may represent data within the query component.

If I am understanding the vulnerability originally reported in #42 , it only exists if the // is at the beginning of the URL.

What I would like to propose is to only convert // if they are at the beginning of the URL.

Steps to Reproduce

Pass a request to fast-proxy with double slashes in the URL, such as /duck?redirect_uri=//quack-a-doodle-doo.com.

Expected Behavior

No response

[q0rban]

Updated my description with new findings:

...the slash in a query parameter does not need to be url encoded:

The characters slash ("/") and question mark ("?") may represent data within the query component.

[jsumners]

The slash in a query parameter does not need to be url encoded.

The characters slash ("/") and question mark ("?") may represent data within the query component.

Well that's an annoying update to the spec 😕.