Fastify: Open redirect in fastify-static via mishandled user's input when attempt to redirect

Summary:

When fastify-static is mounted at root and the register option redirect: true, the following 2 lines cause open redirect bug: https://github.com/fastify/fastify-static/blob/master/index.js#L156-L157. A remote attackers can redirect users to arbitrary web sites via a double forward slash: //, for example if attacker wants to redirect to google.com: http://<domain_name>//google.com/%2e%2e.

This bug is similar to CVE-2015-1164 in ExpressJS, they published on their page about the security bugs here (you can Ctrl+F and search for CVE-2015-1164): https://expressjs.com/en/advanced/security-updates.html

Steps To Reproduce:

1. Download my PoC here
2. bash run.sh
3. Use Firefox to navigate to http://localhost:3000//google.com/%2e%2e. You will see that you are redirected to https://www.google.com/

Request:

GET //google.com/%2e%2e HTTP/1.1
Host: localhost:3000
Accept-Encoding: gzip, deflate
Connection: close

Response:

HTTP/1.1 301 Moved Permanently
location: //google.com/%2e%2e/
content-length: 0
Date: Wed, 29 Sep 2021 03:34:22 GMT
Connection: close

I tested and it only works in Firefox but not in Chrome, Edge, Opera, Safari 😂, it is because different browsers handle the response differently.

Impact

The most straight-forward impact is phishing.
However, open redirect is a gadget that enables attackers to be able to exploit further, for example:

• Bypassing SSRF protection
• Token stealing in OAuth