fix: block open redirect via literal backslash and double slashes in nginx (#2356)

## Summary
- The previous `%5C` check is bypassed because CloudFront decodes `%5C`
to literal `\` before forwarding to nginx, so `$request_uri` never
contains `%5C`
- This PR adds nginx rules to also block literal backslashes and
multiple leading slashes in request URIs
- Tests use `curl --request-target` to simulate exactly what CDNs
forward to nginx

Fixes apify/apify-core#26551

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: B4nan

.github/workflows/test.yaml

@@ -85,11 +85,16 @@ jobs:
                         [ "$actual" = "$expected" ] || (echo "❌ Expected HTTP $expected but got $actual for $url" && exit 1)
                     }
 
-                    echo "🧪 Checking encoded backslash blocking..."
+                    echo "🧪 Checking open redirect protection..."
+                    # Encoded backslash (%5C) - as sent by clients directly
                     assert_status "http://localhost:8080///%5Cevil.com/" "400"
                     assert_status "http://localhost:8080/%5Cevil.com/" "400"
-                    assert_status "http://localhost:8080/platform/%5Ctest" "400"
                     assert_status "http://localhost:8080///%5cevil.com/" "400"
+                    # Literal backslash - as forwarded by CDNs that decode %5C before proxying
+                    assert_status "http://localhost:8080" "400" --request-target '/\evil.com/'
+                    assert_status "http://localhost:8080" "400" --request-target '///\evil.com/'
+                    # Multiple leading slashes (no backslash) - also a redirect vector
+                    assert_status "http://localhost:8080" "400" --request-target '//evil.com/'
 
                     echo "🧪 Checking Nginx responses... (apify-docs)"
                     assert_header "http://localhost:8080/" "Content-Type" "text/html"

nginx.conf

@@ -21,10 +21,11 @@ server {
     set $backend "https://apify.github.io/apify-docs";
     resolver 1.1.1.1 8.8.8.8 valid=30s ipv6=off;
 
-    # Prevent open redirect via encoded backslash (%5C) in URL
-    # Some browsers decode %5C to \ and normalize it to / in URL paths,
-    # which combined with the trailing-slash rewrite can create redirect vectors
-    if ($request_uri ~* "%5c") {
+    # Prevent open redirect via backslash or multiple leading slashes in URL
+    # CDNs like CloudFront may decode %5C to literal \ before forwarding to nginx.
+    # The trailing-slash rewrite then puts \ in the Location header, which browsers
+    # normalize to /, creating protocol-relative URLs (e.g. /\evil.com → //evil.com).
+    if ($request_uri ~ "\\\\|%5[cC]|^//") {
         return 400;
     }