[#71630] Ensure redirects in the API without security issues

Author: judithroth

lib/api/helpers/historical_identifier_redirect.rb

@@ -54,16 +54,29 @@ def redirect_if_historical_identifier(identifier_param, project)
         # Only redirect if:
         # 1. The parameter is a friendly_id slug (not numeric ID)
         # 2. The parameter doesn't match the project's current identifier
-        if param_value.friendly_id? && param_value != project.identifier
-          # Reconstruct the current URL with the new identifier
-          # Handle both path parameters (e.g., /workspaces/old-id) and query parameters (e.g., ?of=old-id)
-          new_url = request.url.sub(
-            /([?&]#{identifier_param}=|\/)(#{Regexp.escape(param_value)})(\b|&|$)/,
-            "\\1#{project.identifier}\\3"
+        if request.get? && param_value.friendly_id? && param_value != project.identifier
+          # Reconstruct only the path and query string, not the full URL
+          # This prevents Host header injection and open redirect attacks
+          path = request.path
+          query_string = request.query_string
+
+          # Replace the old identifier in the path
+          new_path = path.sub(
+            %r{(/)#{Regexp.escape(param_value)}(/|$)},
+            "\\1#{project.identifier}\\2"
           )
 
-          # Return 301 Moved Permanently
-          redirect new_url, permanent: true
+          # Replace the old identifier in query parameters if present
+          if query_string.present?
+            new_query_string = query_string.gsub(
+              /(\A|&)#{Regexp.escape(identifier_param.to_s)}=#{Regexp.escape(param_value)}(&|\z)/,
+              "\\1#{identifier_param}=#{CGI.escape(project.identifier)}\\2"
+            )
+            new_path += "?#{new_query_string}"
+          end
+
+          # Return 301 Moved Permanently with path-only redirect
+          redirect new_path, permanent: true
         end
       end
     end