Collapse scheme-relative leading slashes in Rewrite middleware redirect/rewrite targets

rokonec · rokonec · commit fa44f130d86b · 2026-06-01T19:47:56.000+02:00
`AddRedirect`, IIS URL Rewrite, and Apache mod_rewrite rules let an attacker-controlled or
misconfigured back-reference produce a target starting with `//`, `///`, or `/\` (and longer
runs). When `PathBase` is empty, the resulting `Location` header is scheme-relative and
resolves off-origin — an open redirect.

This change adds a small internal helper `UrlNormalizer.CollapseLeadingSlashes` that mirrors
the rejection predicate in `SharedUrlHelper.IsLocalUrl` but coerces instead of returning a
boolean: any leading run of `/` and `\` is collapsed to a single `/`. The helper is applied
at the three sinks that emit `Location` or mutate `Request.Path`:

* `RedirectRule.ApplyRule` (`AddRedirect` surface)
* `UrlActions.RedirectAction.ApplyAction` (IIS / Apache redirect import)
* `UrlActions.RewriteAction.ApplyAction` (defense in depth for `Request.Path`)

Adds regression theories on all three surfaces covering `//`, `///`, `//////`, `/\`
shapes, both as literal replacements and as back-reference-synthesized captures.

No public API surface change; `PublicAPI.Shipped.txt` / `PublicAPI.Unshipped.txt` unchanged.
diff --git a/src/Middleware/Rewrite/src/RedirectRule.cs b/src/Middleware/Rewrite/src/RedirectRule.cs
@@ -43,6 +43,7 @@ public void ApplyRule(RewriteContext context)
         if (initMatchResults.Success)
         {
             var newPath = initMatchResults.Result(Replacement);
+            newPath = UrlNormalizer.CollapseLeadingSlashes(newPath);
             var response = context.HttpContext.Response;
 
             response.StatusCode = StatusCode;
diff --git a/src/Middleware/Rewrite/src/UrlActions/RedirectAction.cs b/src/Middleware/Rewrite/src/UrlActions/RedirectAction.cs
@@ -43,6 +43,8 @@ public override void ApplyAction(RewriteContext context, BackReferenceCollection
             return;
         }
 
+        pattern = UrlNormalizer.CollapseLeadingSlashes(pattern);
+
         if (!pattern.Contains(Uri.SchemeDelimiter, StringComparison.Ordinal) && pattern[0] != '/')
         {
             pattern = '/' + pattern;
@@ -51,7 +53,6 @@ public override void ApplyAction(RewriteContext context, BackReferenceCollection
 
         // url can either contain the full url or the path and query
         // always add to location header.
-        // TODO check for false positives
 
         var split = pattern.IndexOf('?');
         if (split >= 0 && QueryStringAppend)
diff --git a/src/Middleware/Rewrite/src/UrlActions/RewriteAction.cs b/src/Middleware/Rewrite/src/UrlActions/RewriteAction.cs
@@ -58,6 +58,8 @@ public override void ApplyAction(RewriteContext context, BackReferenceCollection
             pattern = Uri.EscapeDataString(pattern);
         }
 
+        pattern = UrlNormalizer.CollapseLeadingSlashes(pattern);
+
         // TODO PERF, substrings, object creation, etc.
         if (pattern.Contains(Uri.SchemeDelimiter, StringComparison.Ordinal))
         {
diff --git a/src/Middleware/Rewrite/src/UrlNormalizer.cs b/src/Middleware/Rewrite/src/UrlNormalizer.cs
@@ -0,0 +1,24 @@
+// Licensed to the .NET Foundation under one or more agreements.
+// The .NET Foundation licenses this file to you under the MIT license.
+
+namespace Microsoft.AspNetCore.Rewrite;
+
+internal static class UrlNormalizer
+{
+    // Collapses a leading run of '/' and '\' to a single '/' so a redirect/rewrite target cannot resolve as a scheme-relative authority. Mirrors the rejection predicate in SharedUrlHelper.IsLocalUrl.
+    public static string CollapseLeadingSlashes(string url)
+    {
+        if (url.Length < 2 || url[0] != '/' || (url[1] != '/' && url[1] != '\\'))
+        {
+            return url;
+        }
+
+        var i = 1;
+        while (i < url.Length && (url[i] == '/' || url[i] == '\\'))
+        {
+            i++;
+        }
+
+        return i == url.Length ? "/" : string.Concat("/", url.AsSpan(i));
+    }
+}
diff --git a/src/Middleware/Rewrite/test/ApacheModRewrite/ModRewriteMiddlewareTest.cs b/src/Middleware/Rewrite/test/ApacheModRewrite/ModRewriteMiddlewareTest.cs
@@ -37,6 +37,62 @@ public async Task Invoke_RewritePathWhenMatching()
         Assert.Equal("/hello", response);
     }
 
+    [Theory]
+    [InlineData("/legacy//example.com")]
+    [InlineData("/legacy///example.com")]
+    [InlineData(@"/legacy/\example.com")]
+    public async Task Invoke_RedirectCollapsesSchemeRelativeBackReference(string requestPath)
+    {
+        var options = new RewriteOptions().AddApacheModRewrite(new StringReader("RewriteRule /legacy/(.*) /$1 [R=302,L]"));
+        using var host = new HostBuilder()
+            .ConfigureWebHost(webHostBuilder =>
+            {
+                webHostBuilder
+                .UseTestServer()
+                .Configure(app =>
+                {
+                    app.UseRewriter(options);
+                    app.Run(context => context.Response.WriteAsync(context.Response.Headers.Location));
+                });
+            }).Build();
+
+        await host.StartAsync();
+
+        var server = host.GetTestServer();
+
+        var response = await server.CreateClient().GetAsync(requestPath);
+
+        Assert.Equal("/example.com", response.Headers.Location.OriginalString);
+    }
+
+    [Theory]
+    [InlineData("/legacy//example.com")]
+    [InlineData("/legacy///example.com")]
+    [InlineData(@"/legacy/\example.com")]
+    public async Task Invoke_RewriteCollapsesSchemeRelativeBackReference(string requestPath)
+    {
+        var options = new RewriteOptions().AddApacheModRewrite(new StringReader("RewriteRule /legacy/(.*) /$1"));
+        using var host = new HostBuilder()
+            .ConfigureWebHost(webHostBuilder =>
+            {
+                webHostBuilder
+                .UseTestServer()
+                .Configure(app =>
+                {
+                    app.UseRewriter(options);
+                    app.Run(context => context.Response.WriteAsync(context.Request.Path));
+                });
+            }).Build();
+
+        await host.StartAsync();
+
+        var server = host.GetTestServer();
+
+        var response = await server.CreateClient().GetStringAsync(requestPath);
+
+        Assert.Equal("/example.com", response);
+    }
+
     [Fact]
     public async Task Invoke_RewritePathTerminatesOnFirstSuccessOfRule()
     {
diff --git a/src/Middleware/Rewrite/test/IISUrlRewrite/MiddleWareTests.cs b/src/Middleware/Rewrite/test/IISUrlRewrite/MiddleWareTests.cs
@@ -47,6 +47,41 @@ public async Task Invoke_RedirectPathToPathAndQuery()
         Assert.Equal("/article.aspx?id=10&title=hey", response.Headers.Location.OriginalString);
     }
 
+    [Theory]
+    [InlineData("legacy//example.com")]
+    [InlineData("legacy///example.com")]
+    [InlineData(@"legacy/\example.com")]
+    public async Task Invoke_RedirectCollapsesSchemeRelativeBackReference(string requestPath)
+    {
+        var options = new RewriteOptions().AddIISUrlRewrite(new StringReader(@"<rewrite>
+                <rules>
+                <rule name=""Collapse"">
+                <match url=""^legacy/(.*)"" />
+                <action type=""Redirect"" url=""/{R:1}"" redirectType=""Found"" />
+                </rule>
+                </rules>
+                </rewrite>"));
+        using var host = new HostBuilder()
+             .ConfigureWebHost(webHostBuilder =>
+             {
+                 webHostBuilder
+                 .UseTestServer()
+                 .Configure(app =>
+                 {
+                     app.UseRewriter(options);
+                     app.Run(context => context.Response.WriteAsync(context.Response.Headers.Location));
+                 });
+             }).Build();
+
+        await host.StartAsync();
+
+        var server = host.GetTestServer();
+
+        var response = await server.CreateClient().GetAsync(requestPath);
+
+        Assert.Equal("/example.com", response.Headers.Location.OriginalString);
+    }
+
     [Fact]
     public async Task Invoke_RewritePathToPathAndQuery()
     {
diff --git a/src/Middleware/Rewrite/test/MiddlewareTests.cs b/src/Middleware/Rewrite/test/MiddlewareTests.cs
@@ -174,6 +174,37 @@ public async Task CheckRedirectPath(string pattern, string replacement, string b
         Assert.Equal(expectedUrl, response.Headers.Location.OriginalString);
     }
 
+    [Theory]
+    [InlineData("(.*)", "//example.com", "anything")]
+    [InlineData("(.*)", "///example.com", "anything")]
+    [InlineData("(.*)", @"/\example.com", "anything")]
+    [InlineData("(.*)", "//////example.com", "anything")]
+    [InlineData("legacy/(.*)", "/$1", "legacy//example.com")]
+    [InlineData("legacy/(.*)", "/$1", "legacy///example.com")]
+    [InlineData("legacy/(.*)", "/$1", @"legacy/\example.com")]
+    public async Task CheckRedirect_CollapsesSchemeRelativeTarget(string pattern, string replacement, string requestUrl)
+    {
+        var options = new RewriteOptions().AddRedirect(pattern, replacement, statusCode: StatusCodes.Status302Found);
+        using var host = new HostBuilder()
+            .ConfigureWebHost(webHostBuilder =>
+            {
+                webHostBuilder
+                .UseTestServer()
+                .Configure(app =>
+                {
+                    app.UseRewriter(options);
+                });
+            }).Build();
+
+        await host.StartAsync();
+
+        var server = host.GetTestServer();
+
+        var response = await server.CreateClient().GetAsync(requestUrl);
+
+        Assert.Equal("/example.com", response.Headers.Location.OriginalString);
+    }
+
     [Fact]
     public async Task RewriteRulesCanComeFromConfigureOptions()
     {

Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,7 @@ public void ApplyRule(RewriteContext context)`
`43`	`43`	`if (initMatchResults.Success)`
`44`	`44`	`{`
`45`	`45`	`var newPath = initMatchResults.Result(Replacement);`
	`46`	`+ newPath = UrlNormalizer.CollapseLeadingSlashes(newPath);`
`46`	`47`	`var response = context.HttpContext.Response;`
`47`	`48`
`48`	`49`	`response.StatusCode = StatusCode;`
Original file line number	Diff line number	Diff line change
`@@ -43,6 +43,8 @@ public override void ApplyAction(RewriteContext context, BackReferenceCollection`
`43`	`43`	`return;`
`44`	`44`	`}`
`45`	`45`
	`46`	`+ pattern = UrlNormalizer.CollapseLeadingSlashes(pattern);`
	`47`	`+`
`46`	`48`	`if (!pattern.Contains(Uri.SchemeDelimiter, StringComparison.Ordinal) && pattern[0] != '/')`
`47`	`49`	`{`
`48`	`50`	`pattern = '/' + pattern;`
`@@ -51,7 +53,6 @@ public override void ApplyAction(RewriteContext context, BackReferenceCollection`
`51`	`53`
`52`	`54`	`// url can either contain the full url or the path and query`
`53`	`55`	`// always add to location header.`
`54`		`- // TODO check for false positives`
`55`	`56`
`56`	`57`	`var split = pattern.IndexOf('?');`
`57`	`58`	`if (split >= 0 && QueryStringAppend)`
Original file line number	Diff line number	Diff line change
`@@ -58,6 +58,8 @@ public override void ApplyAction(RewriteContext context, BackReferenceCollection`
`58`	`58`	`pattern = Uri.EscapeDataString(pattern);`
`59`	`59`	`}`
`60`	`60`
	`61`	`+ pattern = UrlNormalizer.CollapseLeadingSlashes(pattern);`
	`62`	`+`
`61`	`63`	`// TODO PERF, substrings, object creation, etc.`
`62`	`64`	`if (pattern.Contains(Uri.SchemeDelimiter, StringComparison.Ordinal))`
`63`	`65`	`{`