Remove multiple slashes from asset pathing

WillTaylorDev · WillTaylorDev · commit 0e06721a6b85 · 2024-11-21T14:17:17.000-05:00
diff --git a/.changeset/cyan-laws-mate.md b/.changeset/cyan-laws-mate.md
@@ -0,0 +1,5 @@
+---
+"@cloudflare/workers-shared": minor
+---
+
+Prevent same-schema attacks
diff --git a/packages/workers-shared/asset-worker/src/handler.ts b/packages/workers-shared/asset-worker/src/handler.ts
@@ -19,8 +19,8 @@ export const handleRequest = async (
 	const { pathname, search } = new URL(request.url);
 
 	let decodedPathname = decodePath(pathname);
-	// normalize the path
-	decodedPathname = decodedPathname.replaceAll('//', '/');
+	// normalize the path; remove multiple slashes which could lead to same-schema redirects
+	decodedPathname = decodedPathname.replace(/\/+/g, "/");
 
 	const intent = await getIntent(decodedPathname, configuration, exists);
 
@@ -45,8 +45,6 @@ export const handleRequest = async (
 	 * We combine this with other redirects (e.g. for html_handling) to avoid multiple redirects.
 	 */
 	if (encodedDestination !== pathname || intent.redirect) {
-		console.log(encodedDestination, pathname);
-
 		return new TemporaryRedirectResponse(encodedDestination + search);
 	}
 
@@ -643,8 +641,6 @@ const safeRedirect = async (
 		return null;
 	}
 
-	console.log(file, destination, configuration);
-
 	if (!(await exists(destination))) {
 		const intent = await getIntent(destination, configuration, exists, true);
 		// return only if the eTag matches - i.e. not the 404 case
diff --git a/packages/workers-shared/asset-worker/tests/handler.test.ts b/packages/workers-shared/asset-worker/tests/handler.test.ts
@@ -115,9 +115,8 @@ describe("[Asset Worker] `handleRequest`", () => {
 			exists,
 			getByETag
 		);
-
 		expect(response.status).toBe(307);
-		expect(response.headers.get('location')).toBe('/abc/def/123/456');
+		expect(response.headers.get("location")).toBe("/abc/def/123/456");
 
 		response = await handleRequest(
 			new Request("https://example.com/%2fexample.com/"),
@@ -127,6 +126,16 @@ describe("[Asset Worker] `handleRequest`", () => {
 		);
 
 		expect(response.status).toBe(307);
-		expect(response.headers.get('location')).toBe('/example.com/');
+		expect(response.headers.get("location")).toBe("/example.com/");
+
+		response = await handleRequest(
+			new Request("https://example.com/%2f%2f%2fexample.com/%2f/foo"),
+			configuration,
+			exists,
+			getByETag
+		);
+
+		expect(response.status).toBe(307);
+		expect(response.headers.get("location")).toBe("/example.com/foo");
 	});
 });
