From b8b8ff7e21b4b5a77e68d700021e2b4e3f07ab96 Mon Sep 17 00:00:00 2001
From: Kevin Heis <heiskr@users.noreply.github.com>
Date: Wed, 22 Jan 2025 10:05:59 -0800
Subject: [PATCH] Reject URLs where the path starts with triple slash (#54057)

---
 src/shielding/middleware/handle-invalid-paths.ts | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/src/shielding/middleware/handle-invalid-paths.ts b/src/shielding/middleware/handle-invalid-paths.ts
index 0cee2ae35964..52a64602c2a3 100644
--- a/src/shielding/middleware/handle-invalid-paths.ts
+++ b/src/shielding/middleware/handle-invalid-paths.ts
@@ -7,6 +7,7 @@ import { ExtendedRequest } from '@/types'
 // one of these.
 // These are clearly intentional "guesses" made by some sort of
 // pen-testing bot.
+const JUNK_STARTS = ['///']
 const JUNK_ENDS = [
   '/package.json',
   '/package-lock.json',
@@ -37,6 +38,12 @@ const JUNK_BASENAMES = new Set([
 function isJunkPath(path: string) {
   if (JUNK_PATHS.has(path)) return true
 
+  for (const junkPath of JUNK_STARTS) {
+    if (path.startsWith(junkPath)) {
+      return true
+    }
+  }
+
   for (const junkPath of JUNK_ENDS) {
     if (path.endsWith(junkPath)) {
       return true