Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

if "\@" in url ,the redirect result doesn't match the host of the new URL() #1800

Closed
FDrag0n opened this issue Jan 17, 2024 · 2 comments · Fixed by #1803 or #1804
Closed

if "\@" in url ,the redirect result doesn't match the host of the new URL() #1800

FDrag0n opened this issue Jan 17, 2024 · 2 comments · Fixed by #1803 or #1804
Assignees
@fengmk2
Labels
bug

Comments

@FDrag0n
Copy link
Contributor

FDrag0n commented Jan 17, 2024
edited
Loading

koa/lib/response.js

Line 269 in 5f15941

this.set('Location', encodeUrl(url))

image

Developer often use new URL() host to verify the redirected url, but here the encodeurl will cause the host verification to fail, thus creating a URL hopping vulnerability
@FDrag0n
Copy link
Contributor Author

FDrag0n commented Jan 17, 2024

image

@fengmk2 fengmk2 mentioned this issue Mar 15, 2024
Merged
@fengmk2 fengmk2 linked a pull request Mar 15, 2024 that will close this issue
fix: formatting redirect url on http(s) protocol url #1803
Merged
@fengmk2 fengmk2 self-assigned this Mar 15, 2024
@fengmk2 fengmk2 added the bug label Mar 15, 2024
fengmk2 added a commit that referenced this issue Mar 15, 2024
@fengmk2
fix: formatting redirect url on http(s) protocol url
926243b 
closes #1800

pick from #1803
@fengmk2 fengmk2 mentioned this issue Mar 15, 2024
Merged
fengmk2 added a commit that referenced this issue Mar 15, 2024
@fengmk2
fix: formatting redirect url on http(s) protocol url (#1804)
435534a 
closes #1800

pick from #1803
@FDrag0n
Copy link
Contributor Author

FDrag0n commented Mar 15, 2024

Great fix fit, thanks!

This was referenced Mar 15, 2024
Closed
Merged
kodiakhq bot referenced this issue in X-oss-byte/Nextjs Mar 26, 2024
@renovate
Update dependency express to v4.19.2 [SECURITY] (#1614)
348d420 
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [express](http://expressjs.com/) ([source](https://github.com/expressjs/express)) | [`4.18.3` -> `4.19.2`](https://renovatebot.com/diffs/npm/express/4.18.3/4.19.2) | [![age](https://developer.mend.io/api/mc/badges/age/npm/express/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/express/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/express/4.18.3/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/express/4.18.3/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

### GitHub Vulnerability Alerts

#### [CVE-2024-29041](https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc)

### Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.

The main method impacted is `res.location()` but this is also called from within `res.redirect()`.

### Patches

expressjs/express@0867302
expressjs/express@0b74695

An initial fix went out with `[email protected]`, we then patched a feature regression in `4.19.1` and added improved handling for the bypass in `4.19.2`.

### Workarounds

The fix for this involves pre-parsing the url string with either `require('node:url').parse` or `new URL`. These are steps you can take on your own before passing the user input string to `res.location` or `res.redirect`.

### References

[https://github.com/expressjs/express/pull/5539](https://github.com/expressjs/express/pull/5539)
[https://github.com/koajs/koa/issues/1800](https://github.com/koajs/koa/issues/1800)
https://expressjs.com/en/4x/api.html#res.location

---

### Release Notes

<details>
<summary>expressjs/express (express)</summary>

### [`v4.19.2`](https://github.com/expressjs/express/blob/HEAD/History.md#4192--2024-03-25)

[Compare Source](https://github.com/expressjs/express/compare/4.19.1...4.19.2)

\==========

-   Improved fix for open redirect allow list bypass

### [`v4.19.1`](https://github.com/expressjs/express/blob/HEAD/History.md#4191--2024-03-20)

[Compare Source](https://github.com/expressjs/express/compare/4.19.0...4.19.1)

\==========

-   Allow passing non-strings to res.location with new encoding handling checks

### [`v4.19.0`](https://github.com/expressjs/express/compare/4.18.3...83e77aff6a3859d58206f3ff9501277023c03f87)

[Compare Source](https://github.com/expressjs/express/compare/4.18.3...4.19.0)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/X-oss-byte/Nextjs).
Brooooooklyn referenced this issue in toeverything/AFFiNE Mar 26, 2024
@renovate
chore: bump up express version to v4.19.2 [SECURITY] (#6308)
2662ba7 
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [express](http://expressjs.com/) ([source](https://github.com/expressjs/express)) | [`4.18.2` -> `4.19.2`](https://renovatebot.com/diffs/npm/express/4.18.2/4.19.2) | [![age](https://developer.mend.io/api/mc/badges/age/npm/express/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/express/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/express/4.18.2/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/express/4.18.2/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

### GitHub Vulnerability Alerts

#### [CVE-2024-29041](https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc)

### Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.

The main method impacted is `res.location()` but this is also called from within `res.redirect()`.

### Patches

expressjs/express@0867302
expressjs/express@0b74695

An initial fix went out with `[email protected]`, we then patched a feature regression in `4.19.1` and added improved handling for the bypass in `4.19.2`.

### Workarounds

The fix for this involves pre-parsing the url string with either `require('node:url').parse` or `new URL`. These are steps you can take on your own before passing the user input string to `res.location` or `res.redirect`.

### References

[https://github.com/expressjs/express/pull/5539](https://github.com/expressjs/express/pull/5539)
[https://github.com/koajs/koa/issues/1800](https://github.com/koajs/koa/issues/1800)
https://expressjs.com/en/4x/api.html#res.location

---

### Release Notes

<details>
<summary>expressjs/express (express)</summary>

### [`v4.19.2`](https://github.com/expressjs/express/blob/HEAD/History.md#4192--2024-03-25)

[Compare Source](https://github.com/expressjs/express/compare/4.19.1...4.19.2)

\==========

-   Improved fix for open redirect allow list bypass

### [`v4.19.1`](https://github.com/expressjs/express/blob/HEAD/History.md#4191--2024-03-20)

[Compare Source](https://github.com/expressjs/express/compare/4.19.0...4.19.1)

\==========

-   Allow passing non-strings to res.location with new encoding handling checks

### [`v4.19.0`](https://github.com/expressjs/express/compare/4.18.3...83e77aff6a3859d58206f3ff9501277023c03f87)

[Compare Source](https://github.com/expressjs/express/compare/4.18.3...4.19.0)

### [`v4.18.3`](https://github.com/expressjs/express/blob/HEAD/History.md#4183--2024-02-26)

[Compare Source](https://github.com/expressjs/express/compare/4.18.2...4.18.3)

\==========

-   Fix routing requests without method
-   deps: [email protected]
    -   Fix strict json error message on Node.js 19+
    -   deps: content-type@~1.0.5
    -   deps: [email protected]

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these updates again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/toeverything/AFFiNE).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoiY2FuYXJ5In0=-->
renovate bot referenced this issue in Unleash/unleash Mar 26, 2024
@renovate
fix(deps): update dependency express to v4.19.2 [security] (#6693)
91b3336 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [express](http://expressjs.com/)
([source](https://github.com/expressjs/express)) | [`4.18.3` ->
`4.19.2`](https://renovatebot.com/diffs/npm/express/4.18.3/4.19.2) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/express/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/express/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/express/4.18.3/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/express/4.18.3/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-29041](https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc)

### Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta
versions before 5.0.0-beta.3 are affected by an open redirect
vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL
Express performs an encode [using
`encodeurl`](https://github.com/pillarjs/encodeurl) on the contents
before passing it to the `location` header. This can cause malformed
URLs to be evaluated in unexpected ways by common redirect allow list
implementations in Express applications, leading to an Open Redirect via
bypass of a properly implemented allow list.

The main method impacted is `res.location()` but this is also called
from within `res.redirect()`.

### Patches


expressjs/express@0867302

expressjs/express@0b74695

An initial fix went out with `[email protected]`, we then patched a feature
regression in `4.19.1` and added improved handling for the bypass in
`4.19.2`.

### Workarounds

The fix for this involves pre-parsing the url string with either
`require('node:url').parse` or `new URL`. These are steps you can take
on your own before passing the user input string to `res.location` or
`res.redirect`.

### References


[https://github.com/expressjs/express/pull/5539](https://github.com/expressjs/express/pull/5539)

[https://github.com/koajs/koa/issues/1800](https://github.com/koajs/koa/issues/1800)
https://expressjs.com/en/4x/api.html#res.location

---

### Release Notes

<details>
<summary>expressjs/express (express)</summary>

###
[`v4.19.2`](https://github.com/expressjs/express/blob/HEAD/History.md#4192--2024-03-25)

[Compare
Source](https://github.com/expressjs/express/compare/4.19.1...4.19.2)

\==========

-   Improved fix for open redirect allow list bypass

###
[`v4.19.1`](https://github.com/expressjs/express/blob/HEAD/History.md#4191--2024-03-20)

[Compare
Source](https://github.com/expressjs/express/compare/4.19.0...4.19.1)

\==========

- Allow passing non-strings to res.location with new encoding handling
checks

###
[`v4.19.0`](https://github.com/expressjs/express/compare/4.18.3...83e77aff6a3859d58206f3ff9501277023c03f87)

[Compare
Source](https://github.com/expressjs/express/compare/4.18.3...4.19.0)

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone Europe/Madrid,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/Unleash/unleash).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
@debricked debricked bot mentioned this issue Mar 27, 2024
Open
renovate bot referenced this issue in apollographql/apollo-server Mar 28, 2024
@renovate
chore(deps): update dependency express to v4.19.2 [security] (#7859)
5cf2928 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [express](http://expressjs.com/)
([source](https://github.com/expressjs/express)) | [`4.18.2` ->
`4.19.2`](https://renovatebot.com/diffs/npm/express/4.18.2/4.19.2) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/express/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/express/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/express/4.18.2/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/express/4.18.2/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-29041](https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc)

### Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta
versions before 5.0.0-beta.3 are affected by an open redirect
vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL
Express performs an encode [using
`encodeurl`](https://github.com/pillarjs/encodeurl) on the contents
before passing it to the `location` header. This can cause malformed
URLs to be evaluated in unexpected ways by common redirect allow list
implementations in Express applications, leading to an Open Redirect via
bypass of a properly implemented allow list.

The main method impacted is `res.location()` but this is also called
from within `res.redirect()`.

### Patches


expressjs/express@0867302

expressjs/express@0b74695

An initial fix went out with `[email protected]`, we then patched a feature
regression in `4.19.1` and added improved handling for the bypass in
`4.19.2`.

### Workarounds

The fix for this involves pre-parsing the url string with either
`require('node:url').parse` or `new URL`. These are steps you can take
on your own before passing the user input string to `res.location` or
`res.redirect`.

### References


[https://github.com/expressjs/express/pull/5539](https://github.com/expressjs/express/pull/5539)

[https://github.com/koajs/koa/issues/1800](https://github.com/koajs/koa/issues/1800)
https://expressjs.com/en/4x/api.html#res.location

---

### Release Notes

<details>
<summary>expressjs/express (express)</summary>

###
[`v4.19.2`](https://github.com/expressjs/express/blob/HEAD/History.md#4192--2024-03-25)

[Compare
Source](https://github.com/expressjs/express/compare/4.19.1...4.19.2)

\==========

-   Improved fix for open redirect allow list bypass

###
[`v4.19.1`](https://github.com/expressjs/express/blob/HEAD/History.md#4191--2024-03-20)

[Compare
Source](https://github.com/expressjs/express/compare/4.19.0...4.19.1)

\==========

- Allow passing non-strings to res.location with new encoding handling
checks

###
[`v4.19.0`](https://github.com/expressjs/express/compare/4.18.3...83e77aff6a3859d58206f3ff9501277023c03f87)

[Compare
Source](https://github.com/expressjs/express/compare/4.18.3...4.19.0)

###
[`v4.18.3`](https://github.com/expressjs/express/blob/HEAD/History.md#4183--2024-02-26)

[Compare
Source](https://github.com/expressjs/express/compare/4.18.2...4.18.3)

\==========

-   Fix routing requests without method
-   deps: [email protected]
    -   Fix strict json error message on Node.js 19+
    -   deps: content-type@~1.0.5
    -   deps: [email protected]

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" in timezone America/Los_Angeles,
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about these
updates again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/apollographql/apollo-server).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->

Co-authored-by: renovate[bot] <29139614+renovate[bot]@users.noreply.github.com>
holtskinner referenced this issue in GoogleCloudPlatform/document-ai-samples Mar 28, 2024
@renovate-bot
fix(deps): update dependency express to v4.19.2 [security] (#776)
4f4de06 
[![Mend
Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [express](http://expressjs.com/)
([source](https://github.com/expressjs/express)) | [`4.18.2` ->
`4.19.2`](https://renovatebot.com/diffs/npm/express/4.18.2/4.19.2) |
[![age](https://developer.mend.io/api/mc/badges/age/npm/express/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/express/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/express/4.18.2/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|
[![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/express/4.18.2/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/)
|

### GitHub Vulnerability Alerts

####
[CVE-2024-29041](https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc)

### Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta
versions before 5.0.0-beta.3 are affected by an open redirect
vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL
Express performs an encode [using
`encodeurl`](https://github.com/pillarjs/encodeurl) on the contents
before passing it to the `location` header. This can cause malformed
URLs to be evaluated in unexpected ways by common redirect allow list
implementations in Express applications, leading to an Open Redirect via
bypass of a properly implemented allow list.

The main method impacted is `res.location()` but this is also called
from within `res.redirect()`.

### Patches


expressjs/express@0867302

expressjs/express@0b74695

An initial fix went out with `[email protected]`, we then patched a feature
regression in `4.19.1` and added improved handling for the bypass in
`4.19.2`.

### Workarounds

The fix for this involves pre-parsing the url string with either
`require('node:url').parse` or `new URL`. These are steps you can take
on your own before passing the user input string to `res.location` or
`res.redirect`.

### References


[https://github.com/expressjs/express/pull/5539](https://github.com/expressjs/express/pull/5539)

[https://github.com/koajs/koa/issues/1800](https://github.com/koajs/koa/issues/1800)
https://expressjs.com/en/4x/api.html#res.location

---

### Release Notes

<details>
<summary>expressjs/express (express)</summary>

###
[`v4.19.2`](https://github.com/expressjs/express/blob/HEAD/History.md#4192--2024-03-25)

[Compare
Source](https://github.com/expressjs/express/compare/4.19.1...4.19.2)

\==========

-   Improved fix for open redirect allow list bypass

###
[`v4.19.1`](https://github.com/expressjs/express/blob/HEAD/History.md#4191--2024-03-20)

[Compare
Source](https://github.com/expressjs/express/compare/4.19.0...4.19.1)

\==========

- Allow passing non-strings to res.location with new encoding handling
checks

###
[`v4.19.0`](https://github.com/expressjs/express/compare/4.18.3...83e77aff6a3859d58206f3ff9501277023c03f87)

[Compare
Source](https://github.com/expressjs/express/compare/4.18.3...4.19.0)

###
[`v4.18.3`](https://github.com/expressjs/express/blob/HEAD/History.md#4183--2024-02-26)

[Compare
Source](https://github.com/expressjs/express/compare/4.18.2...4.18.3)

\==========

-   Fix routing requests without method
-   deps: [email protected]
    -   Fix strict json error message on Node.js 19+
    -   deps: content-type@~1.0.5
    -   deps: [email protected]

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined),
Automerge - At any time (no schedule defined).

🚦 **Automerge**: Enabled.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the
rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update
again.

---

- [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check
this box

---

This PR has been generated by [Mend
Renovate](https://www.mend.io/free-developer-tools/renovate/). View
repository job log
[here](https://developer.mend.io/github/GoogleCloudPlatform/document-ai-samples).

<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjI2OS4yIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
@PavelMor25 PavelMor25 mentioned this issue Mar 30, 2024
Closed
1 task
etroynov pushed a commit to etroynov/koa that referenced this issue Apr 1, 2024
@fengmk2 @etroynov
fix: formatting redirect url on http(s) protocol url (koajs#1804)
69932e3 
closes koajs#1800

pick from koajs#1803
@github-actions github-actions bot mentioned this issue Apr 2, 2024
Merged
1 task
@hmdevelopermind hmdevelopermind mentioned this issue Apr 3, 2024
Closed
@github-actions github-actions bot mentioned this issue Apr 4, 2024
Merged
This was referenced Apr 13, 2024
Closed
Closed
Closed
Closed
Closed
Closed
Closed
This was referenced Apr 13, 2024
Closed
Closed
Closed
Open
hi5a referenced this issue in nordic-game-lab/learnhub-sdk May 4, 2024
@renovate
Update dependency express to v4.19.2 [SECURITY] (#15)
71e6f1c 
[![Mend Renovate](https://app.renovatebot.com/images/banner.svg)](https://renovatebot.com)

This PR contains the following updates:

| Package | Change | Age | Adoption | Passing | Confidence |
|---|---|---|---|---|---|
| [express](http://expressjs.com/) ([source](https://github.com/expressjs/express)) | [`4.18.2` -> `4.19.2`](https://renovatebot.com/diffs/npm/express/4.18.2/4.19.2) | [![age](https://developer.mend.io/api/mc/badges/age/npm/express/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![adoption](https://developer.mend.io/api/mc/badges/adoption/npm/express/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![passing](https://developer.mend.io/api/mc/badges/compatibility/npm/express/4.18.2/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) | [![confidence](https://developer.mend.io/api/mc/badges/confidence/npm/express/4.18.2/4.19.2?slim=true)](https://docs.renovatebot.com/merge-confidence/) |

### GitHub Vulnerability Alerts

#### [CVE-2024-29041](https://github.com/expressjs/express/security/advisories/GHSA-rv95-896h-c2vc)

### Impact

Versions of Express.js prior to 4.19.2 and pre-release alpha and beta versions before 5.0.0-beta.3 are affected by an open redirect vulnerability using malformed URLs.

When a user of Express performs a redirect using a user-provided URL Express performs an encode [using `encodeurl`](https://github.com/pillarjs/encodeurl) on the contents before passing it to the `location` header. This can cause malformed URLs to be evaluated in unexpected ways by common redirect allow list implementations in Express applications, leading to an Open Redirect via bypass of a properly implemented allow list.

The main method impacted is `res.location()` but this is also called from within `res.redirect()`.

### Patches

expressjs/express@0867302
expressjs/express@0b74695

An initial fix went out with `[email protected]`, we then patched a feature regression in `4.19.1` and added improved handling for the bypass in `4.19.2`.

### Workarounds

The fix for this involves pre-parsing the url string with either `require('node:url').parse` or `new URL`. These are steps you can take on your own before passing the user input string to `res.location` or `res.redirect`.

### References

[https://github.com/expressjs/express/pull/5539](https://github.com/expressjs/express/pull/5539)
[https://github.com/koajs/koa/issues/1800](https://github.com/koajs/koa/issues/1800)
https://expressjs.com/en/4x/api.html#res.location

---

### Release Notes

<details>
<summary>expressjs/express (express)</summary>

### [`v4.19.2`](https://github.com/expressjs/express/blob/HEAD/History.md#4192--2024-03-25)

[Compare Source](https://github.com/expressjs/express/compare/4.19.1...4.19.2)

\==========

-   Improved fix for open redirect allow list bypass

### [`v4.19.1`](https://github.com/expressjs/express/blob/HEAD/History.md#4191--2024-03-20)

[Compare Source](https://github.com/expressjs/express/compare/4.19.0...4.19.1)

\==========

-   Allow passing non-strings to res.location with new encoding handling checks

### [`v4.19.0`](https://github.com/expressjs/express/compare/4.18.3...83e77aff6a3859d58206f3ff9501277023c03f87)

[Compare Source](https://github.com/expressjs/express/compare/4.18.3...4.19.0)

### [`v4.18.3`](https://github.com/expressjs/express/blob/HEAD/History.md#4183--2024-02-26)

[Compare Source](https://github.com/expressjs/express/compare/4.18.2...4.18.3)

\==========

-   Fix routing requests without method
-   deps: [email protected]
    -   Fix strict json error message on Node.js 19+
    -   deps: content-type@~1.0.5
    -   deps: [email protected]

</details>

---

### Configuration

📅 **Schedule**: Branch creation - "" (UTC), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Mend Renovate](https://www.mend.io/free-developer-tools/renovate/). View repository job log [here](https://developer.mend.io/github/nordic-game-lab/ngl-api-sdk).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzNy4yNjkuMiIsInVwZGF0ZWRJblZlciI6IjM3LjMzMS4wIiwidGFyZ2V0QnJhbmNoIjoibWFpbiJ9-->
This was referenced Aug 15, 2024
Merged
Open
This was referenced Sep 12, 2024
Open
Open
@github-actions github-actions bot mentioned this issue Nov 14, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@fengmk2 fengmk2

Labels
bug
Projects
None yet
Milestone
No milestone
2 participants
@fengmk2 @FDrag0n