From a87adc3ba2ea8983f557e690af2d5cb71fca27e8 Mon Sep 17 00:00:00 2001 From: MarcoIeni <11428655+MarcoIeni@users.noreply.github.com> Date: Thu, 30 Apr 2026 10:32:44 +0200 Subject: [PATCH] prevent open redirect in doc-router lambda --- .../release-distribution/lambdas/doc-router/index.js | 7 ++++++- .../release-distribution/lambdas/doc-router/test.mjs | 2 ++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/terragrunt/modules/release-distribution/lambdas/doc-router/index.js b/terragrunt/modules/release-distribution/lambdas/doc-router/index.js index 70c07ee7b..d89393b6d 100644 --- a/terragrunt/modules/release-distribution/lambdas/doc-router/index.js +++ b/terragrunt/modules/release-distribution/lambdas/doc-router/index.js @@ -111,7 +111,12 @@ exports.handler = (event, context, callback) => { // Docs used to be under /doc, so redirect those for now if (request.uri.startsWith('/doc/')) { - return redirect(request.uri.slice(4), callback); + // Collapse repeated slashes to prevent open redirect vulnerabilities. + // E.g. this prevents paths like `/doc//example.com` from redirecting + // to `https://example.com`. + const redirectTarget = request.uri.slice(4).replace(/\/+/g, '/'); + + return redirect(redirectTarget, callback); } // The `/stable`, `/beta`, and `/nightly` urls are all workable as-is diff --git a/terragrunt/modules/release-distribution/lambdas/doc-router/test.mjs b/terragrunt/modules/release-distribution/lambdas/doc-router/test.mjs index 140255570..01e7a9c1c 100644 --- a/terragrunt/modules/release-distribution/lambdas/doc-router/test.mjs +++ b/terragrunt/modules/release-distribution/lambdas/doc-router/test.mjs @@ -53,6 +53,8 @@ test("example expected redirects", async (t) => { // /doc { from: "/doc/std", to: "/std" }, { from: "/doc/hello", to: "/hello" }, + // Test that repeated slashes are collapsed to prevent open redirect vulnerabilities + { from: "/doc//example.com/something", to: "/example.com/something" }, ]; for (const redir of redirects) {