Merge pull request #360 from gbrownmozilla/redirects

[Bug 1753838] Harden trailing slashes redirect
mozilla · Feb 7, 2022 · e39d8be · e39d8be
2 parents 5c05a73 + 0d66516
commit e39d8be
Show file tree

Hide file tree

Showing 2 changed files with 12 additions and 1 deletion.
diff --git a/pollbot/middlewares.py b/pollbot/middlewares.py
@@ -1,6 +1,7 @@
 import logging
 from aiohttp import web
 import os
+import string
 
 logger = logging.getLogger(__package__)
 
@@ -60,8 +61,12 @@ async def handle_any(request, response):
 
 async def handle_404(request, response):
     if 'json' not in response.headers['Content-Type']:
+        # This traling slash redirect has caused security issues.
+        # If it continues to be problematic, consider:
+        #  - only redirect "/v1/.../"?
+        #  - remove the redirect entirely; use duplicate routes instead, in app.py
         if request.path.endswith('/'):
-            return web.HTTPFound('/' + request.path.strip('/'))
+            return web.HTTPFound('/' + request.path.strip('/'+string.whitespace))
         return web.json_response({
             "status": 404,
             "message": "Page '{}' not found".format(request.path)

diff --git a/tests/test_views.py b/tests/test_views.py
@@ -65,6 +65,12 @@ async def test_redirects_strip_leading_slashes(cli):
     cli.server.skip_url_asserts = True
     resp = await check_response(cli, "//page/", status=302, allow_redirects=False)
     assert resp.headers['Location'] == "/page"
+    # also strip leading and trailing whitespace
+    resp = await check_response(cli, "/%0a/www.evil.com/", status=302, allow_redirects=False)
+    assert resp.headers['Location'] == "/www.evil.com"
+    resp = await check_response(cli, "/%0a /www.evil.com %0a%0b/", status=302,
+                                allow_redirects=False)
+    assert resp.headers['Location'] == "/www.evil.com"
 
 
 async def check_yaml_resource(cli, url, filename, **kwargs):