redirect to another domain

[wbster]

Describe the bug

the link leads to someone else's site
http://localhost:3000//https://google.com/
can be used by hackers

Reproduction

found on all versions of sveltekit. Redirect to another site, can be used by hackers

Logs

No response

System Info

all systems

Severity

blocking all usage of SvelteKit

Additional Information

No response

[Conduitry]

How do we reproduce this? If I go to, for example, https://kit.svelte.dev//https://google.com/ I get a 404, as expected. Does this only happen in dev mode?

[bluwy]

Reproducible in dev mode. Tried setting config.kit.vite.server.fs.strict: true but with the same behaviour. This is likely an issue in Vite's dev server, and should be reported there if not duplicate.

[Conduitry]

Added the "vite" label - I also removed the "1.0" milestone, since this appears to be a dev-only issue.

[wbster]

Should I tell them about this problem or have they already been informed?

[rmunn]

Can easily reproduce with a new Svelte-Kit skeleton app, but I've tried multiple ways to reproduce this with a create-vite app and haven't been able to reproduce it with only Vite involved. So I can't rule out a Svelte-Kit issue just yet.

BTW, two findings from my repro attempts might be useful.

1. The final / and initial // are required to trigger this bug. http://localhost:3000/https://www.google.com/ did not redirect, but http://localhost:3000//https://www.google.com/ did. Also, http://localhost:3000//https://www.google.com did not redirect.
2. I added a middleware before the Svelte-Kit middleware that would just log the request URL and call next(). In the examples above that did not redirect, that middleware logged the URL and then logged the various other URLs that Svelte-Kit loaded (e.g. /.svelte-kit/dev/runtime/internal/start.js). But on the attempt that triggered the redirect, my logging middleware was never hit; the http://localhost:3000//https://www.google.com/ URL never showed up in the logs.

[bluwy]

I was just about to refer to open an issue in Vite as I'm able to reproduce this in a normal Vite app. SvelteKit uses the Vite dev server under-the-hood so I think the core fix is in Vite. I've also check Vite's issue tracker and there doesn't seem to be an existing one.

[rmunn]

@bluwy If you can reproduce this in a Vite app without Svelte-Kit involved, then ignore my comment, because the fact that you can reproduce it in a normal Vite app means that it's not a Svelte-Kit issue. I have had to move on to working on something else and probably won't be able to revisit this issue, so don't let my comment stop you from reporting this since you have a repro to show.

[rmunn]

@bluwy Did you ever open that Vite issue? I've looked for it but I don't see it. If you haven't had time, I'd be willing to open the issue but I haven't managed to reproduce this in Vite the way you have. If you can post a link to your repro repo, I'd be willing to open the issue in https://github.com/vitejs/vite/issues for you.

[bluwy]

Ah my bad. This issue had slipped my mind. I think you were right with your comment, where the bug happens differently in Vite and SvelteKit as I can't reproduce the URL provided by OP in a Vite app. Feel free to open an issue in Vite though, I currently don't have a repro at hand.

[rmunn]

This appears to have been fixed by #2683. With Vite 2.6.11 in place I can no longer reproduce this bug. Instead I get a 403 Restricted error saying "The request url "/https:/google.com/" is outside of Vite serving allow list". Downgrading to Vite 2.6.10 lets me reproduce the bug again, but bringing Vite 2.6.11 back fixes the issue.

So I think this can be closed now as a fix has been released.

[bluwy]

Nice. Thanks for checking this again @rmunn!

[ambrt]

http://localhost:3000//https://www.google.com/ still redirects on skeleton app both dev and preview
kit next 201
svelte: 3.44.2
vite 2.6.14

[bluwy]

I can reproduce this as well, using vite@2.7.0-beta.9. For the dev part, we would need it fixed on Vite's side, feel free to make an issue there. For preview however, we would fix that here, but I'm not sure where's the issue.

[mrkishi]

I can't reproduce it as of @sveltejs/kit@1.0.0-next.271 and vite@2.8.3.

[bluwy]

I can still reproduce in the latest version (@sveltejs/kit@1.0.0-next.276 and vite@2.8.3) with http://localhost:3000//https://www.google.com/, though that now redirects to http://https//www.google.com (which is an invalid url). But if I go to http://localhost:3000//www.google.com/, I'm redirected to google. I'm getting the same behaviour in preview too, even though we're not using the Vite dev server/preview there, so that's something.

[raksha-a-simpl]

I'm using
"@sveltejs/adapter-node": "1.0.0-next.55",
"@sveltejs/kit": "1.0.0-next.201",
"@sveltejs/vite-plugin-svelte": "^1.0.0-next.30"
My project is live on prod and updating either of the above packages might not be feasible for my team at the moment. Is there a way I can handle this in my svelte.config.js file?

[maxicarlos08]

Your dependencies are a bit (very) out of date, try upgrading to:

"@sveltejs/adapter-node": "^1.2.0",
"@sveltejs/kit": "^1.5.0",
"svelte": "^3.54.0",
"vite": "^4.0.0"

Note that you will have to do the migration to use the new SvelteKit version.

Edit: missed the part that you can't upgrade, apologies :(