fix(server): block bypassing absolute URL with leading whitespace

johannschopplich · Dec 8, 2023 · 72762a2 · 72762a2
1 parent 8c26a7a
commit 72762a2
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/runtime/server/handler.ts b/src/runtime/server/handler.ts
@@ -28,7 +28,7 @@ export default defineEventHandler(async (event): Promise<any> => {
   } = _body
 
   // Check if the path is an absolute URL
-  if (/^https?:\/\//.test(path)) {
+  if (new URL(path, 'http://localhost').origin !== 'http://localhost') {
     throw createError({
       statusCode: 400,
       statusMessage: 'Absolute URLs are not allowed',