Don't strip trailing slash if it's escaped

nuuls · nuuls · commit f152ebdb45bf · 2025-01-17T21:31:44.000+01:00
diff --git a/middleware/strip.go b/middleware/strip.go
@@ -3,6 +3,7 @@ package middleware
 import (
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/go-chi/chi/v5"
 )
@@ -12,20 +13,19 @@ import (
 // matches, then it will serve the handler.
 func StripSlashes(next http.Handler) http.Handler {
 	fn := func(w http.ResponseWriter, r *http.Request) {
-		var path string
 		rctx := chi.RouteContext(r.Context())
-		if rctx != nil && rctx.RoutePath != "" {
-			path = rctx.RoutePath
-		} else {
-			path = r.URL.Path
-		}
-		if len(path) > 1 && path[len(path)-1] == '/' {
-			newPath := path[:len(path)-1]
-			if rctx == nil {
-				r.URL.Path = newPath
-			} else {
-				rctx.RoutePath = newPath
+
+		if rctx != nil && len(rctx.RoutePath) > 1 {
+			rctx.RoutePath = strings.TrimSuffix(rctx.RoutePath, "/")
+		} else if len(r.URL.RawPath) > 1 {
+			if r.URL.RawPath[len(r.URL.RawPath)-1] == '/' {
+				// Always update RawPath and Path in sync to make sure
+				// there are no unexpected mismatches
+				r.URL.RawPath = strings.TrimSuffix(r.URL.RawPath, "/")
+				r.URL.Path = strings.TrimSuffix(r.URL.Path, "/")
 			}
+		} else if len(r.URL.Path) > 1 {
+			r.URL.Path = strings.TrimSuffix(r.URL.Path, "/")
 		}
 		next.ServeHTTP(w, r)
 	}
diff --git a/middleware/strip_test.go b/middleware/strip_test.go
@@ -48,9 +48,18 @@ func TestStripSlashes(t *testing.T) {
 	if _, resp := testRequest(t, ts, "GET", "/accounts/admin/", nil); resp != "admin" {
 		t.Fatal(resp)
 	}
+	if _, resp := testRequest(t, ts, "GET", "/accounts/escaped%2F", nil); resp != "escaped%2F" {
+		t.Fatalf(resp)
+	}
+	if _, resp := testRequest(t, ts, "GET", "/accounts/escaped%2F/", nil); resp != "escaped%2F" {
+		t.Fatalf(resp)
+	}
 	if _, resp := testRequest(t, ts, "GET", "/nothing-here", nil); resp != "nothing here" {
 		t.Fatal(resp)
 	}
+	if _, resp := testRequest(t, ts, "GET", "/%2F", nil); resp != "nothing here" {
+		t.Fatalf(resp)
+	}
 }
 
 func TestStripSlashesInRoute(t *testing.T) {
@@ -97,6 +106,9 @@ func TestStripSlashesInRoute(t *testing.T) {
 	if _, resp := testRequest(t, ts, "GET", "/accounts/admin/query/", nil); resp != "admin" {
 		t.Fatal(resp)
 	}
+	if _, resp := testRequest(t, ts, "GET", "/accounts/admin/query%2F", nil); resp != "nothing here" {
+		t.Fatalf(resp)
+	}
 }
 
 func TestRedirectSlashes(t *testing.T) {

Original file line number	Diff line number	Diff line change
`@@ -48,9 +48,18 @@ func TestStripSlashes(t *testing.T) {`
`48`	`48`	`if _, resp := testRequest(t, ts, "GET", "/accounts/admin/", nil); resp != "admin" {`
`49`	`49`	`t.Fatal(resp)`
`50`	`50`	`}`
	`51`	`+ if _, resp := testRequest(t, ts, "GET", "/accounts/escaped%2F", nil); resp != "escaped%2F" {`
	`52`	`+ t.Fatalf(resp)`
	`53`	`+ }`
	`54`	`+ if _, resp := testRequest(t, ts, "GET", "/accounts/escaped%2F/", nil); resp != "escaped%2F" {`
	`55`	`+ t.Fatalf(resp)`
	`56`	`+ }`
`51`	`57`	`if _, resp := testRequest(t, ts, "GET", "/nothing-here", nil); resp != "nothing here" {`
`52`	`58`	`t.Fatal(resp)`
`53`	`59`	`}`
	`60`	`+ if _, resp := testRequest(t, ts, "GET", "/%2F", nil); resp != "nothing here" {`
	`61`	`+ t.Fatalf(resp)`
	`62`	`+ }`
`54`	`63`	`}`
`55`	`64`
`56`	`65`	`func TestStripSlashesInRoute(t *testing.T) {`
`@@ -97,6 +106,9 @@ func TestStripSlashesInRoute(t *testing.T) {`
`97`	`106`	`if _, resp := testRequest(t, ts, "GET", "/accounts/admin/query/", nil); resp != "admin" {`
`98`	`107`	`t.Fatal(resp)`
`99`	`108`	`}`
	`109`	`+ if _, resp := testRequest(t, ts, "GET", "/accounts/admin/query%2F", nil); resp != "nothing here" {`
	`110`	`+ t.Fatalf(resp)`
	`111`	`+ }`
`100`	`112`	`}`
`101`	`113`
`102`	`114`	`func TestRedirectSlashes(t *testing.T) {`