Merge pull request #3 from herber/fix-open-redirect

implement fix for "open redirect when target domain name is used as html filename on server"
herber · Apr 12, 2018 · 1e5c75f · 1e5c75f
2 parents c33aaae + 408dd52
commit 1e5c75f
Show file tree

Hide file tree

Showing 3 changed files with 10 additions and 3 deletions.
diff --git a/bin/hekto.js b/bin/hekto.js
@@ -39,6 +39,13 @@ if (args.v || args.version) {
 
 args._.splice(0, 1);
 
+const stripTrailingSlash = (str) => {
+    if(str.substr(-1) === '/') {
+        return str.substr(0, str.length - 1);
+    }
+    return str;
+}
+
 /*
   if `serve` command is passed in
 */
@@ -184,7 +191,7 @@ if (args.serve) {
       // Add trailing slash for extensionless html
       if (fs.existsSync(file + '.html') && fs.lstatSync(file + '.html').isFile()) {
         this.status = 307;
-        this.redirect(this.request.url + '/' + query);
+        this.redirect(this.request.origin + stripTrailingSlash(this.request.url) + '/' + query);
 
         return ;
       }

diff --git a/package-lock.json b/package-lock.json
diff --git a/package.json b/package.json
@@ -4,7 +4,7 @@
     "url": "https://github.com/tobihrbr/hekto.git",
     "type": "git"
   },
-  "version": "0.2.3",
+  "version": "0.2.4",
   "description": "Serve static files",
   "keywords": [
     "serve",