fix: harden proxy-table matching to prevent routing bypass

[G-Rath]

Description

Backports security fix for GHSA-64mm-vxmg-q3vj

fixes #1266

Motivation and Context

v2 is heavily used by dependencies such as webpack-dev-server so having a backport would be very helpful for the ecosystem

How has this been tested?

Using the reproduction and with the ported tests

Types of changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklist:

• My change requires a change to the documentation.
• I have updated the documentation accordingly.

Summary by CodeRabbit

• Bug Fixes
  • Hardened router proxy-table matching to prevent routing bypass by enforcing exact host matching and prefix-based path matching instead of substring matching.
  • Added regression tests to ensure malformed host variants cannot incorrectly match routing rules.

[coderabbitai]

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title accurately describes the main security hardening change to proxy-table matching logic to prevent routing bypass, which is the primary focus of the changeset.
Linked Issues check	✅ Passed	The PR implements the security fix for GHSA-64mm-vxmg-q3vj by hardening proxy-table matching to prevent routing bypass as requested in issue #1266, with appropriate test coverage.
Out of Scope Changes check	✅ Passed	All changes are directly related to the security fix scope: router logic hardening, test coverage, CHANGELOG documentation, and a minor spell-checker configuration update.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[G-Rath]

Annoying that CI is being flakey - in my fork CI passed with only one rerun being needed :/

[chimurai]

This is one of the reasons not to support v2 anymore 🫥

CI stability has been improved in v4 and doesn't rely on third-party for e2e tests...

[coveralls]

coverage: 98.113% (+0.04%) from 98.072% — G-Rath:backport into chimurai:2.x

[chimurai]

https://github.com/chimurai/http-proxy-middleware/releases/tag/v2.0.10

published to https://www.npmjs.com/package/http-proxy-middleware/v/2.0.10

Thanks for the backport!