fix: block open redirect via encoded backslash (%5C) in nginx (#2354)

B4nan · claude · web-flow · commit ada3c6bf3ed8 · 2026-03-23T16:07:54.000+01:00
## Summary - Block requests containing encoded backslash (`%5C`) in the URI to prevent an open redirect vulnerability - The nginx trailing slash removal rule (`rewrite ^(.+)/$ $1 redirect`) can produce redirects that browsers misinterpret when the URI contains `%5C` - some browsers decode it to `\`, normalize to `/`, and create protocol-relative navigation - Fix adds a server-level check on `$request_uri` that returns 400 before any rewrite processing Fixes apify/apify-core#26551 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -75,6 +75,22 @@ jobs:
                         echo "$actual" | grep -q "$expected" || (echo "❌ Expected '$expected' in '$header' for $url" && exit 1)
                     }
 
+                    function assert_status() {
+                        url=$1
+                        expected=$2
+                        shift 2
+                        extra_args=("$@")
+                        actual=$(curl -s -o /dev/null -w "%{http_code}" "${extra_args[@]}" "$url")
+                        echo "→ $url → HTTP $actual"
+                        [ "$actual" = "$expected" ] || (echo "❌ Expected HTTP $expected but got $actual for $url" && exit 1)
+                    }
+
+                    echo "🧪 Checking encoded backslash blocking..."
+                    assert_status "http://localhost:8080///%5Cevil.com/" "400"
+                    assert_status "http://localhost:8080/%5Cevil.com/" "400"
+                    assert_status "http://localhost:8080/platform/%5Ctest" "400"
+                    assert_status "http://localhost:8080///%5cevil.com/" "400"
+
                     echo "🧪 Checking Nginx responses... (apify-docs)"
                     assert_header "http://localhost:8080/" "Content-Type" "text/html"
                     assert_header "http://localhost:8080/" "Content-Type" "text/markdown" -H "Accept: text/markdown"
diff --git a/nginx.conf b/nginx.conf
@@ -21,6 +21,13 @@ server {
     set $backend "https://apify.github.io/apify-docs";
     resolver 1.1.1.1 8.8.8.8 valid=30s ipv6=off;
 
+    # Prevent open redirect via encoded backslash (%5C) in URL
+    # Some browsers decode %5C to \ and normalize it to / in URL paths,
+    # which combined with the trailing-slash rewrite can create redirect vectors
+    if ($request_uri ~* "%5c") {
+        return 400;
+    }
+
     location = / {
         if ($serve_markdown) {
             rewrite ^ /llms.txt last;
