Fix potential open redirect when mounted at root

fixes #26

Author: dougwilson

HISTORY.md

@@ -1,3 +1,8 @@
+unreleased
+==========
+
+  * Fix potential open redirect when mounted at root
+
 1.7.1 / 2014-10-22
 ==================
 

index.js

@@ -79,10 +79,13 @@ exports = module.exports = function serveStatic(root, options) {
           return next()
         }
 
-        originalUrl.pathname += '/'
+        // append trailing slash
+        originalUrl.pathname = collapseLeadingSlashes(originalUrl.pathname + '/')
 
+        // reformat the URL
         var target = url.format(originalUrl)
 
+        // send redirect response
         res.statusCode = 303
         res.setHeader('Content-Type', 'text/html; charset=utf-8')
         res.setHeader('Location', target)
@@ -116,3 +119,19 @@ exports = module.exports = function serveStatic(root, options) {
  */
 
 exports.mime = send.mime
+
+/**
+ * Collapse all leading slashes into a single slash
+ * @private
+ */
+function collapseLeadingSlashes(str) {
+  for (var i = 0; i < str.length; i++) {
+    if (str[i] !== '/') {
+      break
+    }
+  }
+
+  return i > 1
+    ? '/' + str.substr(i)
+    : str
+}

test/test.js

@@ -259,6 +259,13 @@ describe('serveStatic()', function(){
       .expect(303, done)
     })
 
+    it('should not redirect to protocol-relative locations', function (done) {
+      request(server)
+      .get('//users')
+      .expect('Location', '/users/')
+      .expect(303, done)
+    })
+
     it('should not redirect incorrectly', function (done) {
       request(server)
       .get('/')
@@ -532,7 +539,7 @@ describe('serveStatic()', function(){
     it('should not choke on auth-looking URL', function(done){
       request(server)
       .get('//todo@txt')
-      .expect('Location', '//todo@txt/')
+      .expect('Location', '/todo@txt/')
       .expect(303, done);
     });
   });