Address open redirect vulnerability

Author: kevin-bates

jupyter_server/base/handlers.py

@@ -776,9 +776,12 @@ class TrailingSlashHandler(web.RequestHandler):
     """
 
     def get(self):
-        uri = self.request.path.rstrip("/")
-        if uri:
-            self.redirect('?'.join((uri, self.request.query)))
+        path, *rest = self.request.uri.partition("?")
+        # trim trailing *and* leading /
+        # to avoid misinterpreting repeated '//'
+        path = "/" + path.strip("/")
+        new_uri = "".join([path, *rest])
+        self.redirect(new_uri)
 
     post = put = get
 

tests/test_paths.py

@@ -1,5 +1,6 @@
 import re
-
+import pytest
+import tornado
 from jupyter_server.base.handlers import path_regex
 
 
@@ -29,3 +30,29 @@ def test_path_regex_bad():
         '/y/x/foo',
     ):
         assert re.match(path_pat, path) is None
+
+
+@pytest.mark.parametrize(
+    'uri,expected',
+    [
+        ("/notebooks/mynotebook/", "/notebooks/mynotebook"),
+        ("////foo///", "/foo"),
+        ("//example.com/", "/example.com"),
+        ("/has/param/?hasparam=true", "/has/param?hasparam=true"),
+    ]
+)
+async def test_trailing_slash(uri, expected, http_server_client, auth_header, base_url):
+    # http_server_client raises an exception when follow_redirects=False
+    with pytest.raises(tornado.httpclient.HTTPClientError) as err:
+        await http_server_client.fetch(
+            uri,
+            headers=auth_header,
+            request_timeout=20,
+            follow_redirects=False
+        )
+    # Capture the response from the raised exception value.
+    response = err.value.response
+    assert response.code == 302
+    assert "Location" in response.headers
+    assert response.headers["Location"] == expected
+    assert False