v2.0.2
This patch release fixes a security issue that allowed a malicious actor to trick the middleware into redirecting to other domains. After this patch release, the middleware will only remove a trailing slash from the path if the resulting Location-header will still redirect the user to the same domain he was originally requesting.
The vulnerability and attack vector is described in greater detail in CVE-2021-23384.
Big thank you goes out to @apple502j for discovering and disclosing this vulnerability to us.
Fixes
- only redirect for current origin (e7ce400 by @PAkerstrand)
- tests against path traversals (a22ed1b by @PAkerstrand)