fix: exclude backslashes from trailing-slash rewrite to prevent open redirect (#2359)

B4nan · claude · web-flow · commit d62112067f02 · 2026-03-23T18:16:49.000+01:00
## Summary - Previous `if`-based checks on `$request_uri` and `$uri` didn't work in production despite passing CI - This changes the trailing-slash location regex from `^(.+)/$` to `^([^\\\\]+)/$` so it simply never matches URIs containing backslashes - No redirect fires → no `\` in the Location header → no open redirect - Locally verified against real nginx: attack vectors get 404, normal redirects still work Fixes apify/apify-core#26551 🤖 Generated with [Claude Code](https://claude.com/claude-code) --------- Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml
@@ -85,14 +85,31 @@ jobs:
                         [ "$actual" = "$expected" ] || (echo "❌ Expected HTTP $expected but got $actual for $url" && exit 1)
                     }
 
+                    function assert_no_redirect() {
+                        url=$1
+                        shift
+                        extra_args=("$@")
+                        response=$(curl -s -D - -o /dev/null -w "\n%{http_code}" "${extra_args[@]}" "$url" 2>/dev/null)
+                        status=$(echo "$response" | tail -1)
+                        location=$(echo "$response" | grep -i "^location:" | tr -d '\r' || true)
+                        echo "→ $url → HTTP $status ${location:+(${location})}"
+                        if [ "$status" = "301" ] || [ "$status" = "302" ]; then
+                            echo "❌ Got redirect for $url: $location" && exit 1
+                        fi
+                    }
+
                     echo "🧪 Checking open redirect protection..."
-                    # nginx decodes %5C to \ in $uri, so the check catches both forms.
-                    assert_status "http://localhost:8080///%5Cevil.com/" "400"
-                    assert_status "http://localhost:8080/%5Cevil.com/" "400"
-                    assert_status "http://localhost:8080///%5cevil.com/" "400"
+                    # Backslash URLs must not produce redirects (the redirect Location
+                    # would contain \, which browsers normalize to /, creating
+                    # protocol-relative URLs like //evil.com that redirect externally).
+                    assert_no_redirect "http://localhost:8080///%5Cevil.com/"
+                    assert_no_redirect "http://localhost:8080/%5Cevil.com/"
+                    assert_no_redirect "http://localhost:8080///%5cevil.com/"
                     # Literal backslash (simulates CDN pre-decoding %5C before forwarding)
-                    assert_status "http://localhost:8080" "400" --request-target '/\evil.com/'
-                    assert_status "http://localhost:8080" "400" --request-target '///\evil.com/'
+                    assert_no_redirect "http://localhost:8080" --request-target '/\evil.com/'
+                    assert_no_redirect "http://localhost:8080" --request-target '///\evil.com/'
+                    # Normal trailing-slash redirect must still work
+                    assert_status "http://localhost:8080/platform/proxy/usage/" "302"
 
                     echo "🧪 Checking Nginx responses... (apify-docs)"
                     assert_header "http://localhost:8080/" "Content-Type" "text/html"
diff --git a/nginx.conf b/nginx.conf
@@ -21,15 +21,6 @@ server {
     set $backend "https://apify.github.io/apify-docs";
     resolver 1.1.1.1 8.8.8.8 valid=30s ipv6=off;
 
-    # Prevent open redirect via backslash in URL
-    # The trailing-slash rewrite puts \ in the Location header, which browsers
-    # normalize to /, creating protocol-relative URLs (e.g. /\evil.com → //evil.com).
-    # Using $uri (not $request_uri) because nginx always decodes %5C → \ in $uri,
-    # regardless of whether CloudFront or other CDNs pre-decode the request.
-    if ($uri ~ "\\\\") {
-        return 400;
-    }
-
     location = / {
         if ($serve_markdown) {
             rewrite ^ /llms.txt last;
@@ -45,7 +36,10 @@ server {
 
     # remove trailing slashes from all URLs (except root /)
     # exact match locations (e.g., location = /sdk/js/) take priority over this regex
-    location ~ ^(.+)/$ {
+    # [^\\\\] excludes backslashes to prevent open redirect: nginx decodes %5C to \ in $uri,
+    # and \ in the Location header gets normalized to / by browsers, turning /\evil.com
+    # into the protocol-relative URL //evil.com which redirects to evil.com.
+    location ~ ^([^\\\\]+)/$ {
         rewrite ^(.+)/$ $1$is_args$args? redirect;
     }
 
