Merge pull request #64 from namecheap/fix/redirect-vulnerability-yet-another-case

fix: yet another case when redirect passes through due to url malformation

Author: wRLSS

package-lock.json

@@ -1,6 +1,6 @@
 {
   "name": "ilc-sdk",
-  "version": "5.2.1",
+  "version": "5.2.4",
   "description": "SDK for app development with Isomorphic Layout Composer",
   "main": "dist/server/index.js",
   "types": "dist/server/index.d.ts",

package.json

@@ -1,12 +1,12 @@
 export default function parseAsFullyQualifiedURI(uri: string) {
     let origin = '';
     try {
+        // Normalize multiple slashes to a single slash, but don't affect the initial "http://" or "https://"
+        uri = uri.replace(/([^:])\/{2,}/g, '$1/');
+
         const urlObj = new URL(uri);
         origin = urlObj.origin;
 
-        // Apply replacement only to the pathname, leaving the rest (search, hash) intact
-        urlObj.pathname = urlObj.pathname.replace(/\/{2,}/g, '/');
-
         uri = urlObj.pathname + urlObj.search + urlObj.hash;
     } catch {}
 

src/app/utils/parseAsFullyQualifiedURI.ts

@@ -199,6 +199,13 @@ describe('IlcIntl', () => {
             });
         });
 
+        it('returns locale with normalized route when multiple slashes are present', () => {
+            expect(IlcIntl.parseUrl(baseConfig, '/es///tst.com')).to.eql({
+                cleanUrl: '/tst.com',
+                locale: 'es-ES',
+            });
+        });
+
         it('returns locale with default culture when no culture present in the route', () => {
             expect(IlcIntl.parseUrl(baseConfig, '/es-MX/tst')).to.eql({
                 cleanUrl: '/tst',