A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies decodeURI() to determine which route to render, while the middleware uses context.url.pathname without applying the same normalization (decodeURI).
This discrepancy may allow attackers to reach protected routes (e.g., /admin) using encoded path variants that pass routing but bypass validation checks.
|
pathname = decodeURI(url.pathname); |
|
} |
|
|
|
// Add config.base back to url before passing it to SSR |
|
url.pathname = removeTrailingForwardSlash(config.base) + url.pathname; |
/** The main logic to route dev server requests to pages in Astro. */
export async function handleRequest({
pipeline,
routesList,
controller,
incomingRequest,
incomingResponse,
}: HandleRequest) {
const { config, loader } = pipeline;
const origin = `${loader.isHttps() ? 'https' : 'http'}://${
incomingRequest.headers[':authority'] ?? incomingRequest.headers.host
}`;
const url = new URL(origin + incomingRequest.url);
let pathname: string;
if (config.trailingSlash === 'never' && !incomingRequest.url) {
pathname = '';
} else {
// We already have a middleware that checks if there's an incoming URL that has invalid URI, so it's safe
// to not handle the error: packages/astro/src/vite-plugin-astro-server/base.ts
pathname = decodeURI(url.pathname); // here this url is for routing/rendering
}
// Add config.base back to url before passing it to SSR
url.pathname = removeTrailingForwardSlash(config.base) + url.pathname; // this is used for middleware contextConsider an application having the following middleware code:
import { defineMiddleware } from "astro/middleware";
export const onRequest = defineMiddleware(async (context, next) => {
const isAuthed = false; // simulate no auth
if (context.url.pathname === "/admin" && !isAuthed) {
return context.redirect("/");
}
return next();
});context.url.pathname is validated , if it's equal to /admin the isAuthed property must be true for the next() method to be called. The same example can be found in the official docs https://docs.astro.build/en/guides/authentication/
context.url.pathname returns the raw version which is /%61admin while pathname which is used for routing/rendering /admin, this creates a path normalization mismatch.
By sending the following request, it's possible to bypass the middleware check
GET /%61dmin HTTP/1.1
Host: localhost:3000
Remediation
Ensure middleware context has the same normalized pathname value that Astro uses internally, because any difference could allow it to bypass such checks. In short maybe something like this
pathname = decodeURI(url.pathname);
}
// Add config.base back to url before passing it to SSR
- url.pathname = removeTrailingForwardSlash(config.base) + url.pathname;
+ url.pathname = removeTrailingForwardSlash(config.base) + decodeURI(url.pathname);Thankyou, let me know if any more info is needed happy to help :)
A mismatch exists between how Astro normalizes request paths for routing/rendering and how the application’s middleware reads the path for validation checks. Astro internally applies
decodeURI()to determine which route to render, while the middleware usescontext.url.pathnamewithout applying the same normalization (decodeURI).This discrepancy may allow attackers to reach protected routes (e.g., /admin) using encoded path variants that pass routing but bypass validation checks.
astro/packages/astro/src/vite-plugin-astro-server/request.ts
Lines 40 to 44 in ebc4b1c
Consider an application having the following middleware code:
context.url.pathnameis validated , if it's equal to/admintheisAuthedproperty must be true for the next() method to be called. The same example can be found in the official docs https://docs.astro.build/en/guides/authentication/context.url.pathnamereturns the raw version which is/%61adminwhile pathname which is used for routing/rendering/admin, this creates a path normalization mismatch.By sending the following request, it's possible to bypass the middleware check
Remediation
Ensure middleware context has the same normalized pathname value that Astro uses internally, because any difference could allow it to bypass such checks. In short maybe something like this
pathname = decodeURI(url.pathname); } // Add config.base back to url before passing it to SSR - url.pathname = removeTrailingForwardSlash(config.base) + url.pathname; + url.pathname = removeTrailingForwardSlash(config.base) + decodeURI(url.pathname);Thankyou, let me know if any more info is needed happy to help :)