search

leafo / lapis

A web framework for Lua and OpenResty written in MoonScript
http://leafo.net/lapis/
MIT License
3.12k stars 247 forks source link

Default Route - Open Redirect #771

Closed cycomachead closed 7 months ago

cycomachead commented 1 year ago

We've been flagged by some automated scanning tools for the open redirect issue on the default route -- it's currently a TODO in the code.

Thanks for providing the override example in docs! I've added the following line our app's default_route

    self.req.parsed_url.path = string.gsub(self.req.parsed_url.path, '//', '/')

Is there any reason not to make this the default for lapis? I suppose I could do this only to the initial // in a URL, but it doesn't seem like // is really valid in URLs in general.

leafo commented 7 months ago

if // is showing up in your requests then you either have a bug with how you're generating URLs, or someone is just sending malformed URLs at your server, hence by default it returns 404.

The only case I think it's reasonable to mutate the URL by default and try again is for a trailing /, which a user may type themselves without knowing which is preferred by the server.