From 06bf4d9afb45b60df6f18542e0669e520dcb16eb Mon Sep 17 00:00:00 2001
From: Riley Apeldoorn <riley.apeldoorn@channable.com>
Date: Thu, 21 Jul 2022 14:36:30 +0200
Subject: [PATCH] Fix potential security issue with building redirection target
 uri

---
 src/main.rs | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/src/main.rs b/src/main.rs
index a5b5029..68e739d 100644
--- a/src/main.rs
+++ b/src/main.rs
@@ -208,8 +208,18 @@ impl Effect {
         match self {
             Effect::Proxy { port, .. } => {
                 let host = "0.0.0.0"; // Support for custom hosts added later
-                let path = req.uri().path_and_query().map(|x| x.as_str()).unwrap_or("");
-                let target = format!("http://{host}:{port}{path}");
+                let path = req
+                    .uri()
+                    .path_and_query()
+                    .and_then(|x| {
+                        // Reject all requests where the path doesn't start with a `/`,
+                        // and strip the first `/` off all paths so we can ensure that
+                        // the path is actually separated from the host and port.
+                        x.as_str().strip_prefix('/')
+                    })
+                    .unwrap_or("");
+
+                let target = format!("http://{host}:{port}/{path}");
 
                 let uri = target.parse().unwrap();
                 *req.uri_mut() = uri;