Skip to content

Optional Login from browser support#2368

Merged
abose merged 6 commits into
mainfrom
prox
Aug 29, 2025
Merged

Optional Login from browser support#2368
abose merged 6 commits into
mainfrom
prox

Conversation

@abose

@abose abose commented Aug 29, 2025

Copy link
Copy Markdown
Member

No description provided.

@sonarqubecloud

sonarqubecloud Bot commented Aug 29, 2025

Copy link
Copy Markdown

Quality Gate Passed Quality Gate passed

Issues
1 New issue
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

github-advanced-security[bot]
github-advanced-security AI found potential problems Aug 29, 2025
View reviewed changes
Comment thread serve-proxy.js
serveStaticFile(req, res, filePath);
} else if (stats.isDirectory() && !parsedUrl.pathname.endsWith('/')) {
// Redirect to URL with trailing slash for directories
res.writeHead(301, { 'Location': req.url + '/' });

Check warning

Code scanning / CodeQL

Server-side URL redirect Medium

Untrusted URL redirection depends on a
user-provided value
Loading
.

Copilot Autofix

AI 10 months ago

The best way to fix this problem is to avoid using the raw req.url in the redirect and instead construct a canonical, relative URL path based solely on validated input. Specifically, when redirecting a user to the trailing slash version of a directory, parse and reconstruct the pathname—without including any potentially harmful user-supplied query strings or full URLs. The correct approach is to use the parsed pathname (from url.parse(req.url, true)) and ensure the result is a relative path (not an absolute URL). Additionally, you may want to re-attach the original query parameters (if any), to preserve search parameters when redirecting, but do so via encoding.

In practical terms, replace res.writeHead(301, { 'Location': req.url + '/' }); with a construct that starts with the URL-parsed pathname, appends the trailing slash, and (optionally) preserves the query string, ensuring the entire result is a relative path. All code changes can be made directly in serve-proxy.js at line 302, using standard Node.js modules you are already importing.

Suggested changeset 1
serve-proxy.js

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/serve-proxy.js b/serve-proxy.js
--- a/serve-proxy.js
+++ b/serve-proxy.js
@@ -299,7 +299,11 @@
             serveStaticFile(req, res, filePath);
         } else if (stats.isDirectory() && !parsedUrl.pathname.endsWith('/')) {
             // Redirect to URL with trailing slash for directories
-            res.writeHead(301, { 'Location': req.url + '/' });
+            let redirectPath = parsedUrl.pathname + '/';
+            if (parsedUrl.search) {
+                redirectPath += parsedUrl.search;
+            }
+            res.writeHead(301, { 'Location': redirectPath });
             res.end();
         } else {
             serveStaticFile(req, res, filePath);
EOF
@@ -299,7 +299,11 @@
serveStaticFile(req, res, filePath);
} else if (stats.isDirectory() && !parsedUrl.pathname.endsWith('/')) {
// Redirect to URL with trailing slash for directories
res.writeHead(301, { 'Location': req.url + '/' });
let redirectPath = parsedUrl.pathname + '/';
if (parsedUrl.search) {
redirectPath += parsedUrl.search;
}
res.writeHead(301, { 'Location': redirectPath });
res.end();
} else {
serveStaticFile(req, res, filePath);
Copilot is powered by AI and may make mistakes. Always verify output.
@abose abose merged commit c979a70 into main Aug 29, 2025
16 of 18 checks passed
@abose abose deleted the prox branch August 29, 2025 12:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@abose @github-advanced-security