Security Issue: Open Redirect allowed by default

[cbravo]

I just created and deployed a blank project using the instructions from the docs

pnpm create next-app
pnpm create sst
pnpm sst deploy --stage redirect-test 

with the settings below.

Without changing any of the code I deployed to https://d2layld3p8p37s.cloudfront.net/

https://d2layld3p8p37s.cloudfront.net//evil.com/ results in redirecting to evil.com which obviously would allow a malicious user to take advantage of my domain name to forward people to potentially dangerous urls.

note the trailing slash. It must have something to do with the trailing slash because without the trailing slash it works properly and 404s.

Improper Redirect: https://d2layld3p8p37s.cloudfront.net//evil.com/
Proper 404 behaviour https://d2layld3p8p37s.cloudfront.net//evil.com

this is using

"sst": "^2.40.1",
"next": "14.1.0",

[cbravo]

I should note that I tested the example link in the open-next repo readme and it DOES NOT behave this way but an out of the box deployment with the settings above does seem to allow for this unexpected redirect.

[conico974]

Good catch, i think i know what's the issue here, i'll create a PR later today.
As you've said it's very likely to have something to do with the trailing slash