From 2075d41ab350587cfabb7dff82fd3fce4f822c3f Mon Sep 17 00:00:00 2001
From: Dorian Niemiec <dorian.niemiec@svrjs.org>
Date: Sat, 24 Aug 2024 20:44:43 +0200
Subject: [PATCH] Fix URL sanitiation and rewriting-related functions removing
 query strings and hashes.

---
 src/middleware/redirectTrailingSlashes.js | 13 +------------
 src/middleware/rewriteURL.js              | 12 +-----------
 src/middleware/urlSanitizer.js            | 12 +-----------
 src/middleware/webRootPostfixes.js        | 11 +----------
 4 files changed, 4 insertions(+), 44 deletions(-)

diff --git a/src/middleware/redirectTrailingSlashes.js b/src/middleware/redirectTrailingSlashes.js
index af29b7a..74848b5 100644
--- a/src/middleware/redirectTrailingSlashes.js
+++ b/src/middleware/redirectTrailingSlashes.js
@@ -1,5 +1,4 @@
 const fs = require("fs");
-const url = require("url");
 
 module.exports = (req, res, logFacilities, config, next) => {
   // Trailing slash redirection
@@ -21,17 +20,7 @@ module.exports = (req, res, logFacilities, config, next) => {
               res.error(500, err);
             }
           } else {
-            var destinationURL = new url.Url();
-            destinationURL.path = null;
-            destinationURL.href = null;
-            destinationURL.pathname = req.originalParsedURL.pathname + "/";
-            destinationURL.hostname = null;
-            destinationURL.host = null;
-            destinationURL.port = null;
-            destinationURL.protocol = null;
-            destinationURL.slashes = null;
-            destinationURL = url.format(destinationURL);
-            res.redirect(destinationURL);
+            res.redirect(req.originalParsedURL.pathname + "/" + req.parsedURL.search + req.parsedURL.hash);
           }
         },
       );
diff --git a/src/middleware/rewriteURL.js b/src/middleware/rewriteURL.js
index 4858bdf..3d3ff08 100644
--- a/src/middleware/rewriteURL.js
+++ b/src/middleware/rewriteURL.js
@@ -1,5 +1,4 @@
 const fs = require("fs");
-const url = require("url");
 const createRegex = require("../utils/createRegex.js");
 const ipMatch = require("../utils/ipMatch.js");
 const sanitizeURL = require("../utils/urlSanitizer.js");
@@ -126,16 +125,7 @@ module.exports = (req, res, logFacilities, config, next) => {
         logFacilities.errmessage("Content blocked.");
         return;
       } else if (sHref != req.parsedURL.pathname) {
-        var rewrittenAgainURL = new url.Url();
-        rewrittenAgainURL.path = null;
-        rewrittenAgainURL.href = null;
-        rewrittenAgainURL.pathname = sHref;
-        rewrittenAgainURL.hostname = null;
-        rewrittenAgainURL.host = null;
-        rewrittenAgainURL.port = null;
-        rewrittenAgainURL.protocol = null;
-        rewrittenAgainURL.slashes = null;
-        rewrittenAgainURL = url.format(rewrittenAgainURL);
+        var rewrittenAgainURL = sHref + req.parsedURL.search + req.parsedURL.hash;
         logFacilities.resmessage(
           "URL sanitized: " + req.url + " => " + rewrittenAgainURL,
         );
diff --git a/src/middleware/urlSanitizer.js b/src/middleware/urlSanitizer.js
index 7c3e1a9..09cef4d 100644
--- a/src/middleware/urlSanitizer.js
+++ b/src/middleware/urlSanitizer.js
@@ -1,5 +1,4 @@
 const sanitizeURL = require("../utils/urlSanitizer.js");
-const url = require("url");
 
 module.exports = (req, res, logFacilities, config, next) => {
   // Sanitize URL
@@ -12,16 +11,7 @@ module.exports = (req, res, logFacilities, config, next) => {
 
   // Check if URL is "dirty"
   if (req.parsedURL.pathname != sanitizedHref && !req.isProxy) {
-    let sanitizedURL = new url.Url();
-    sanitizedURL.path = null;
-    sanitizedURL.href = null;
-    sanitizedURL.pathname = sanitizedHref;
-    sanitizedURL.hostname = null;
-    sanitizedURL.host = null;
-    sanitizedURL.port = null;
-    sanitizedURL.protocol = null;
-    sanitizedURL.slashes = null;
-    sanitizedURL = url.format(sanitizedURL);
+    let sanitizedURL = sanitizedHref + req.parsedURL.search + req.parsedURL.hash;
     logFacilities.resmessage(
       "URL sanitized: " + req.url + " => " + sanitizedURL,
     );
diff --git a/src/middleware/webRootPostfixes.js b/src/middleware/webRootPostfixes.js
index e41a096..592e7dd 100644
--- a/src/middleware/webRootPostfixes.js
+++ b/src/middleware/webRootPostfixes.js
@@ -113,16 +113,7 @@ module.exports = (req, res, logFacilities, config, next) => {
         logFacilities.errmessage("Content blocked.");
         return;
       } else if (sHref != req.parsedURL.pathname) {
-        var rewrittenAgainURL = new url.Url();
-        rewrittenAgainURL.path = null;
-        rewrittenAgainURL.href = null;
-        rewrittenAgainURL.pathname = sHref;
-        rewrittenAgainURL.hostname = null;
-        rewrittenAgainURL.host = null;
-        rewrittenAgainURL.port = null;
-        rewrittenAgainURL.protocol = null;
-        rewrittenAgainURL.slashes = null;
-        rewrittenAgainURL = url.format(rewrittenAgainURL);
+        let rewrittenAgainURL = sHref + req.parsedURL.search + req.parsedURL.hash;
         logFacilities.resmessage(
           "URL sanitized: " + req.url + " => " + rewrittenAgainURL,
         );