Skip to content

fix(route-rules): reject out-of-scope requests#4223

Merged
pi0 merged 2 commits intov2from
fix/proxy-rule-normalize-v2
Apr 22, 2026
Merged

fix(route-rules): reject out-of-scope requests#4223
pi0 merged 2 commits intov2from
fix/proxy-rule-normalize-v2

Conversation

@pi0
Copy link
Copy Markdown
Member

@pi0 pi0 commented Apr 22, 2026
edited
Loading

Backport of #4222 to v2

@vercel
Copy link
Copy Markdown

vercel Bot commented Apr 22, 2026
edited
Loading

The latest updates on your projects. Learn more about Vercel for GitHub.

Project Deployment Actions Updated (UTC)
nitro.build Ready Ready Preview, Comment Apr 22, 2026 8:53am

Request Review

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai Bot commented Apr 22, 2026
edited
Loading

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: a5b75e90-1c6b-44e8-8fff-97b56c4e7ba9

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/proxy-rule-normalize-v2

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

@pi0 pi0 changed the base branch from main to v2 April 22, 2026 08:46
@pi0 pi0 added the v2 label Apr 22, 2026
@pi0 pi0 changed the title fix/proxy rule normalize v2 fix(route-rules): reject out-of-scope requests Apr 22, 2026
@pi0
fix(route-rules): reject out-of-scope redirect requests
f5f97a9 
Mirrors the scope check added for proxy rules. An encoded traversal like
`..%2f` bypasses the `/**` scope at match time but can escape the base
once the redirect target decodes `%2f` → `/`, letting a victim's
browser reach a sibling scope on the redirect host.
@pkg-pr-new
Copy link
Copy Markdown

pkg-pr-new Bot commented Apr 22, 2026

Open in StackBlitz

npm i https://pkg.pr.new/nitropack@4223

commit: f5f97a9

@pi0 pi0 marked this pull request as ready for review April 22, 2026 08:55
@pi0 pi0 merged commit 8d06a32 into v2 Apr 22, 2026
8 checks passed
@pi0 pi0 deleted the fix/proxy-rule-normalize-v2 branch April 22, 2026 11:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

v2

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@pi0