fix: encode URIs before setting them as Location header (#58)

Author: derz

lib/middleware.js

@@ -31,7 +31,7 @@ module.exports = function (options) {
     const toUrl = decodedBaseUrl.replace(foundRule.from, toTarget)
 
     try {
-      res.setHeader('Location', toUrl)
+      res.setHeader('Location', encodeURI(toUrl))
     } catch (error) {
       // Not passing the error as it's caused by URL that was user-provided so we
       // can't do anything about the error.

test/fixture/redirects.js

@@ -1,6 +1,7 @@
 module.exports = [
   { from: '^/redirected', to: '/' },
   { from: /^\/äßU</, to: '/' },
+  { from: '^/äöü$', to: '/äßU<' },
   { from: '^/many/(.*)$', to: '/posts/abcde' },
   { from: '^/mapped/(.*)$', to: '/posts/$1' },
   { from: '^/function$', to: () => '/' },
@@ -17,6 +18,7 @@ module.exports = [
       setTimeout(() => resolve(`/posts/${param}`), 2000)
     })
   },
+  { from: '^/errorInTo$', to: '/mapped/\uD800ab\u0001/' },
   {
     from: '^/errorInToFunction$',
     to: () => Promise.reject(new Error('forced error'))

test/module.test.js

@@ -42,9 +42,19 @@ const testSuite = () => {
     expect(html).toContain('Works!')
   })
 
-  test('redirect error with control character', async () => {
+  test('non-ascii redirect to another non-ascii url', async () => {
+    const html = await get('/äöü')
+    expect(html).toContain('Works!')
+  })
+
+  test('redirect with control character', async () => {
+    const html = await get(encodeURI('/mapped/ab\u0001'))
+    expect(html).toContain('ab')
+  })
+
+  test('redirect error due to malformatted target url', async () => {
     const requestOptions = {
-      uri: url(encodeURI('/mapped/ab\u0001')),
+      uri: url('/errorInTo'),
       resolveWithFullResponse: true
     }