bug: redirecting to external URLs about connect HOT 4 CLOSED

Hello @benmccann thanks for the report. There is no code in connect that does any kind of redirection, so it is unclear what your issue is. In fact, following your steps, it properly responds with a 200 with your response, no redirect or Location response header:

$ git clone https://github.com/benmccann/connect-repro connect-1137
Cloning into 'connect-1137'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 6 (delta 0), reused 6 (delta 0), pack-reused 0
Receiving objects: 100% (6/6), done.
$ cd connect-1137/
$ npm i

added 12 packages, and audited 13 packages in 938ms

found 0 vulnerabilities
$ node index.js &
[1] 2894
$ curl -i http://localhost:3000//www.google.com/
HTTP/1.1 200 OK
Date: Mon, 21 Mar 2022 16:39:11 GMT
Connection: keep-alive
Keep-Alive: timeout=5
Content-Length: 20

Hello from Connect!

In the future, please respect our security policy.

from connect.

Hmm. This appears to be originating from Chrome. I see "Hello from Connect!" in curl and Firefox, but am redirected in Chrome. Apologies for the false report

In the future, please respect our security policy.

I'm not sure what you mean by this. I guess you mean I should have emailed you as the policy states? But if so, please publish your email address on your Github profile or somewhere linked to from the security policy so that it's clear how to do so

from connect.

My email is in my GitHub profile. I can see it right under my profile pic. Make sure you are logged in to see emails of users, as I believe GitHub restricts them by default. You can also find emails for any npm module using npm owner ls, look in package.json, and many times in the license file. And if all else fails, simply open an issue to ask. Just posting a potentional security issue in the issues is just bad etiquette, especially when you know what the policy is, clearly.

As for Chrome, I do not get any redirect in Chrome, either, with your repro:

from connect.

Perhaps an OS or version issue. I'm definitely seeing a redirect in Chrome 98 for Linux. In any case, it seems unlikely to be an issue in Connect

I'm afraid even logged in I do not see your email address in your profile. You may want to note the npm owner ls or package.json tips in the security policy to help people locate your email if needed. Here's a screenshot of what I see

from connect.