DorianNiemiecSVRJS/svrjs
Archived
1
0
Fork 0
forked from svrjs/svrjs
Code Pull requests Activity

Fix URL sanitiation and rewriting-related functions removing query strings and hashes.

Browse source
This commit is contained in:
Dorian Niemiec 2024-08-24 20:44:43 +02:00
parent 3613aa92d2
commit 2075d41ab3
4 changed files with 4 additions and 44 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

13
src/middleware/redirectTrailingSlashes.js
View file

@ -1,5 +1,4 @@
const fs = require("fs");
const url = require("url");
module.exports = (req, res, logFacilities, config, next) => {
// Trailing slash redirection
@ -21,17 +20,7 @@ module.exports = (req, res, logFacilities, config, next) => {
res.error(500, err);
}
} else {
var destinationURL = new url.Url();
destinationURL.path = null;
destinationURL.href = null;
destinationURL.pathname = req.originalParsedURL.pathname + "/";
destinationURL.hostname = null;
destinationURL.host = null;
destinationURL.port = null;
destinationURL.protocol = null;
destinationURL.slashes = null;
destinationURL = url.format(destinationURL);
res.redirect(destinationURL);
res.redirect(req.originalParsedURL.pathname + "/" + req.parsedURL.search + req.parsedURL.hash);
}
},
);

12
src/middleware/rewriteURL.js
View file

@ -1,5 +1,4 @@
const fs = require("fs");
const url = require("url");
const createRegex = require("../utils/createRegex.js");
const ipMatch = require("../utils/ipMatch.js");
const sanitizeURL = require("../utils/urlSanitizer.js");
@ -126,16 +125,7 @@ module.exports = (req, res, logFacilities, config, next) => {
logFacilities.errmessage("Content blocked.");
return;
} else if (sHref != req.parsedURL.pathname) {
var rewrittenAgainURL = new url.Url();
rewrittenAgainURL.path = null;
rewrittenAgainURL.href = null;
rewrittenAgainURL.pathname = sHref;
rewrittenAgainURL.hostname = null;
rewrittenAgainURL.host = null;
rewrittenAgainURL.port = null;
rewrittenAgainURL.protocol = null;
rewrittenAgainURL.slashes = null;
rewrittenAgainURL = url.format(rewrittenAgainURL);
var rewrittenAgainURL = sHref + req.parsedURL.search + req.parsedURL.hash;
logFacilities.resmessage(
"URL sanitized: " + req.url + " => " + rewrittenAgainURL,
);

12
src/middleware/urlSanitizer.js
View file

@ -1,5 +1,4 @@
const sanitizeURL = require("../utils/urlSanitizer.js");
const url = require("url");
module.exports = (req, res, logFacilities, config, next) => {
// Sanitize URL
@ -12,16 +11,7 @@ module.exports = (req, res, logFacilities, config, next) => {
// Check if URL is "dirty"
if (req.parsedURL.pathname != sanitizedHref && !req.isProxy) {
let sanitizedURL = new url.Url();
sanitizedURL.path = null;
sanitizedURL.href = null;
sanitizedURL.pathname = sanitizedHref;
sanitizedURL.hostname = null;
sanitizedURL.host = null;
sanitizedURL.port = null;
sanitizedURL.protocol = null;
sanitizedURL.slashes = null;
sanitizedURL = url.format(sanitizedURL);
let sanitizedURL = sanitizedHref + req.parsedURL.search + req.parsedURL.hash;
logFacilities.resmessage(
"URL sanitized: " + req.url + " => " + sanitizedURL,
);

11
src/middleware/webRootPostfixes.js
View file

@ -113,16 +113,7 @@ module.exports = (req, res, logFacilities, config, next) => {
logFacilities.errmessage("Content blocked.");
return;
} else if (sHref != req.parsedURL.pathname) {
var rewrittenAgainURL = new url.Url();
rewrittenAgainURL.path = null;
rewrittenAgainURL.href = null;
rewrittenAgainURL.pathname = sHref;
rewrittenAgainURL.hostname = null;
rewrittenAgainURL.host = null;
rewrittenAgainURL.port = null;
rewrittenAgainURL.protocol = null;
rewrittenAgainURL.slashes = null;
rewrittenAgainURL = url.format(rewrittenAgainURL);
let rewrittenAgainURL = sHref + req.parsedURL.search + req.parsedURL.hash;
logFacilities.resmessage(
"URL sanitized: " + req.url + " => " + rewrittenAgainURL,
);