Harden redirect handling for catch-all parameters

[matthewp]

Changes

• redirectIsExternal() now detects protocol-relative URLs (//) in addition to http:// and https://
• Route generator uses collapseDuplicateLeadingSlashes when building segments to prevent double leading slashes in output

Practically what htis means is a redirect like:

• redirects: { '/old/[...slug]': '/[...slug]' }

With a request like /old//evil.com/ would redirect to evil.com. This is defense in depth, a vulnerability would be required that creates path relative links to take advantage of this.

Testing

Unit tests added in packages/astro/test/units/redirects/open-redirect.test.js covering both redirectIsExternal and getRouteGenerator.

Docs

N/A, bug fix

[changeset-bot]

🦋 Changeset detected

Latest commit: a9cb14a

The changes in this PR will be included in the next version bump.

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

[codspeed-hq]

Merging this PR will not alter performance

✅ 18 untouched benchmarks

---

_{Comparing fix/redirect-open-redirect (a9cb14a) with main (e6e146c)¹}

Footnotes

1. No successful run was found on main (29682f3) during the generation of this report, so e6e146c was used instead as the comparison base. There might be some changes unrelated to this pull request in this report. ↩