Skip to content

fix: normalize referer before redirect#1908

Merged
fengmk2 merged 4 commits intomasterfrom
fix-GHSA-g8mr-fgfg-5qpc
Oct 18, 2025
Merged

fix: normalize referer before redirect#1908
fengmk2 merged 4 commits intomasterfrom
fix-GHSA-g8mr-fgfg-5qpc

Conversation

@fengmk2
Copy link
Member

@fengmk2 fengmk2 commented Oct 18, 2025

No description provided.

@fengmk2 fengmk2 requested review from a team and Copilot October 18, 2025 14:16
@fengmk2 fengmk2 added the bug label Oct 18, 2025
Copilot AI reviewed Oct 18, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull Request Overview

This PR fixes a security vulnerability related to the "Trailing Double-Slash" attack vector in the back() method. Previously, the code had a special case that directly redirected relative paths without proper validation, which could be exploited using URLs like //evil.com that appear relative but are actually protocol-relative URLs.

Key changes:

  • Removed the early return for relative path referrers, forcing all referrers through URL parsing and same-origin validation
  • Added test coverage for the security fix to prevent regression
  • Updated existing tests to include proper context with host information

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

File Description
lib/response.js Removed unsafe early return for relative path referrers, now all referrers are validated through URL parsing
tests/response/back.test.js Added security test case for double-slash attack and updated existing tests with proper host context

Tip: Customize your code reviews with copilot-instructions.md. Create the file or learn how to get started.

fengmk2 and others added 3 commits October 18, 2025 22:17
@fengmk2
Update __tests__/response/back.test.js
48ef053 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@fengmk2
Update __tests__/response/back.test.js
66611cb 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
@fengmk2
FIXUP
846373a
@codecov
Copy link

codecov bot commented Oct 18, 2025
edited
Loading

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.90%. Comparing base (433b20c) to head (846373a).
⚠️ Report is 1 commits behind head on master.

Additional details and impacted files 
@@            Coverage Diff             @@
##           master    #1908      +/-   ##
==========================================
- Coverage   99.90%   99.90%   -0.01%     
==========================================
  Files           9        9              
  Lines        2066     2060       -6     
==========================================
- Hits         2064     2058       -6     
  Misses          2        2

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
  • 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

@fengmk2 fengmk2 merged commit 769fd75 into master Oct 18, 2025
6 checks passed
@fengmk2 fengmk2 deleted the fix-GHSA-g8mr-fgfg-5qpc branch October 18, 2025 14:20
fengmk2 added a commit that referenced this pull request Oct 18, 2025
@fengmk2
fix: normalize referer before redirect
da682df 
pick from #1908
@fengmk2 fengmk2 mentioned this pull request Oct 18, 2025
Merged
fengmk2 added a commit that referenced this pull request Oct 18, 2025
@fengmk2
fix: normalize referer before redirect (#1909)
7af5268 
pick from #1908
fengmk2 added a commit to eggjs/egg that referenced this pull request Oct 23, 2025
@fengmk2
fix: normalize referer before redirect
f621138 
pick from koajs/koa#1908
@fengmk2 fengmk2 mentioned this pull request Oct 23, 2025
Merged
fengmk2 added a commit to eggjs/egg that referenced this pull request Oct 23, 2025
@fengmk2
fix: normalize referer before redirect (#5640)
03f66dc 
pick from koajs/koa#1908

<!-- This is an auto-generated comment: release notes by coderabbit.ai
-->
## Summary by CodeRabbit

* **Bug Fixes**
* Redirect "back" now only honors same-origin absolute referrers and
falls back safely for protocol-relative or unsafe referrers.

* **Tests**
* Expanded redirect-back test coverage (origin validation, referer
variations, host-context cases).
  * Marked flaky cluster tests to skip on Windows.
<!-- end of auto-generated comment: release notes by coderabbit.ai -->

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
riturajjain2000 pushed a commit to riturajjain2000/koa that referenced this pull request Dec 10, 2025
@fengmk2 @riturajjain2000
fix: normalize referer before redirect (koajs#1908)
7fd1e79 
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

Assignees

No one assigned

Labels

bug

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@fengmk2