fix: sanitize double-slashes in asset-worker redirects by danielrs · Pull Request #10402 · cloudflare/workers-sdk

danielrs · 2025-08-18T18:17:11Z

A redirect rule such as:

/foo/* /:splat

And a request such as:

https://example.com/foo//google.com

Would result in a redirect target:

//google.com

Which would incorrectly resolve to:

https://google.com

When constructing a URL.

Problem was already patched in the live service.

Describe your change...

Tests
- Tests included
- Tests not necessary because:
Public documentation
- Cloudflare docs PR(s):
- Documentation not necessary because: bugfix
Wrangler V3 Backport
- Wrangler PR:
- Not necessary because: not a Wrangler change.

changeset-bot · 2025-08-18T18:17:15Z

🦋 Changeset detected

Latest commit: e271a93

The changes in this PR will be included in the next version bump.

This PR includes changesets to release 1 package

Name	Type
@cloudflare/workers-shared	Minor

Not sure what this means? Click here to learn what changesets are.

Click here if you're a maintainer who wants to add another changeset to this PR

pkg-pr-new · 2025-08-18T18:23:04Z

create-cloudflare

npm i https://pkg.pr.new/create-cloudflare@10402

@cloudflare/kv-asset-handler

npm i https://pkg.pr.new/@cloudflare/kv-asset-handler@10402

miniflare

npm i https://pkg.pr.new/miniflare@10402

@cloudflare/pages-shared

npm i https://pkg.pr.new/@cloudflare/pages-shared@10402

@cloudflare/unenv-preset

npm i https://pkg.pr.new/@cloudflare/unenv-preset@10402

@cloudflare/vite-plugin

npm i https://pkg.pr.new/@cloudflare/vite-plugin@10402

@cloudflare/vitest-pool-workers

npm i https://pkg.pr.new/@cloudflare/vitest-pool-workers@10402

@cloudflare/workers-editor-shared

npm i https://pkg.pr.new/@cloudflare/workers-editor-shared@10402

wrangler

npm i https://pkg.pr.new/wrangler@10402

commit: e271a93

dario-piotrowicz

Looks good to me 😄

A redirect rule such as: ``` /foo/* /:splat ``` And a request such as: ``` https://example.com/foo//google.com ``` Would result in a redirect target: ``` //google.com ``` Which would incorrectly resolve to: ``` https://google.com ``` When constructing a URL.

holopin-bot · 2025-08-19T15:50:40Z

Congratulations @danielrs, the maintainer of this repository has issued you a holobyte! Here it is: https://holopin.io/holobyte/cmeiq0cek068807kz3y1g1c9p

This badge can only be claimed by you, so make sure that your GitHub account is linked to your Holopin account. You can manage those preferences here: https://holopin.io/account.
Or if you're new to Holopin, you can simply sign up with GitHub, which will do the trick!

danielrs requested review from a team as code owners August 18, 2025 18:17

workers-devprod added this to workers-sdk Aug 18, 2025

github-project-automation Bot moved this to Untriaged in workers-sdk Aug 18, 2025

danielrs force-pushed the drivas/asset-worker-redirect-double-slash-vuln branch 2 times, most recently from 0460eda to f0d4edb Compare August 18, 2025 18:20

danielrs force-pushed the drivas/asset-worker-redirect-double-slash-vuln branch from f0d4edb to c8d6c8f Compare August 18, 2025 18:34

WillTaylorDev approved these changes Aug 18, 2025

View reviewed changes

github-project-automation Bot moved this from Untriaged to Approved in workers-sdk Aug 18, 2025

dario-piotrowicz approved these changes Aug 19, 2025

View reviewed changes

Comment thread packages/workers-shared/asset-worker/src/utils/rules-engine.ts Outdated

danielrs force-pushed the drivas/asset-worker-redirect-double-slash-vuln branch from c8d6c8f to e271a93 Compare August 19, 2025 15:20

dario-piotrowicz merged commit 8fd6dc0 into cloudflare:main Aug 19, 2025
30 checks passed

github-project-automation Bot moved this from Approved to Done in workers-sdk Aug 19, 2025

workers-devprod added the contribution [Holopin] Recognizes an open-source contribution, big or small label Aug 19, 2025

workers-devprod mentioned this pull request Aug 19, 2025

Version Packages #10406

Merged

danielrs deleted the drivas/asset-worker-redirect-double-slash-vuln branch August 19, 2025 16:53

lrapoport-cf mentioned this pull request Aug 21, 2025

Update changeset #10423

Merged

6 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fix: sanitize double-slashes in asset-worker redirects#10402

fix: sanitize double-slashes in asset-worker redirects#10402
dario-piotrowicz merged 1 commit intocloudflare:mainfrom
danielrs:drivas/asset-worker-redirect-double-slash-vuln

danielrs commented Aug 18, 2025 •

edited by dario-piotrowicz

Loading

Uh oh!

changeset-bot Bot commented Aug 18, 2025 •

edited

Loading

Uh oh!

pkg-pr-new Bot commented Aug 18, 2025 •

edited

Loading

Uh oh!

dario-piotrowicz left a comment •

edited

Loading

Uh oh!

Uh oh!

Uh oh!

holopin-bot Bot commented Aug 19, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

Conversation

danielrs commented Aug 18, 2025 • edited by dario-piotrowicz Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

changeset-bot Bot commented Aug 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🦋 Changeset detected

Uh oh!

pkg-pr-new Bot commented Aug 18, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

dario-piotrowicz left a comment • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

holopin-bot Bot commented Aug 19, 2025

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

danielrs commented Aug 18, 2025 •

edited by dario-piotrowicz

Loading

changeset-bot Bot commented Aug 18, 2025 •

edited

Loading

pkg-pr-new Bot commented Aug 18, 2025 •

edited

Loading

dario-piotrowicz left a comment •

edited

Loading