fix #6 -- Multiple forward slashes in request URL cause unexpected issues

- now it is possible to proxy url's with any number of slashes with no
  mangling

Author: williamstein

lib/http-proxy/common.ts

@@ -169,7 +169,6 @@ export function urlJoin(...args: string[]): string {
   // join url and merge all query string.
   const queryParams: string[] = [];
   let queryParamRaw = "";
-  let retSegs;
 
   args.forEach((url, index) => {
     const qpStart = url.indexOf("?");
@@ -181,13 +180,34 @@ export function urlJoin(...args: string[]): string {
   queryParamRaw = queryParams.filter(Boolean).join("&");
 
   // Join all strings, but remove empty strings so we don't get extra slashes from
-  // joining e.g. ['', 'am']
-  retSegs = args
-    .filter(Boolean)
-    .join("/")
-    .replace(/\/+/g, "/")
-    .replace("http:/", "http://")
-    .replace("https:/", "https://");
+  // joining e.g. ['', 'am'].
+  // Also we respect strings that start and end in multiple slashes, e.g., so
+  //  ['/', '//test', '///foo'] --> '//test'
+  // since e.g., http://localhost//test///foo is a valid URL. See
+  // lib/test/http/double-slashes.test.ts
+  // The algorithm for joining is just straightforward and simple, instead
+  // of the complicated "too clever" code from http-proxy. This just concats
+  // the strings together, not adding any slashes, and also combining adjacent
+  // slashes in two segments, e.g., ['/foo/','/bar'] --> '/foo/bar'
+  let retSegs = "";
+  for (const seg of args) {
+    if (!seg) {
+      continue;
+    }
+    if (retSegs.endsWith("/")) {
+      if (seg.startsWith("/")) {
+        retSegs += seg.slice(1);
+      } else {
+        retSegs += seg;
+      }
+    } else {
+      if (seg.startsWith("/")) {
+        retSegs += seg;
+      } else {
+        retSegs += "/" + seg;
+      }
+    }
+  }
 
   // Only join the query string if it exists so we don't have trailing a '?'
   // on every request
@@ -244,11 +264,22 @@ export function toURL(url: URL | urllib.Url | string | undefined): URL {
   if (url instanceof URL) {
     return url;
   } else if (typeof url === "object" && typeof url.href === "string") {
-    // urllib.Url is deprecated but we support it by converting to URL
-    return new URL(url.href, "http://dummy.org");
-  } else {
-    return new URL(url ?? "", "http://dummy.org");
+    url = url.href;
+  }
+  if (!url) {
+    url = "";
+  }
+  if (typeof url != "string") {
+    // it has to be a string at this point, but to keep typescript happy:
+    url = `${url}`;
+  }
+  if (url.startsWith("//")) {
+    // special case -- this would be viewed as a this is a "network-path reference",
+    // so we explicitly prefix with our http schema.  See 
+    url = `http://dummy.org${url}`;
   }
+  // urllib.Url is deprecated but we support it by converting to URL
+  return new URL(url, "http://dummy.org");
 }
 
 // vendor simplified version of https://www.npmjs.com/package/requires-port to

lib/test/http/double-slashes.test.ts

@@ -0,0 +1,85 @@
+import express from "express";
+import getPort from "../get-port";
+import { createServer } from "../..";
+import http from "http";
+
+// See https://github.com/sagemathinc/http-proxy-3/issues/6
+
+describe("test multiple forward slashes in a URL", () => {
+  let port, server;
+
+  it("create a simple http server", async () => {
+    port = await getPort();
+    const app = express();
+
+    app.get("/", (_req, res) => {
+      res.send("Hello World!");
+    });
+
+    app.get("/test", (_req, res) => {
+      res.send("Test Page!");
+    });
+
+    app.get("/test/foo", (_req, res) => {
+      res.send("Test Foo Page!");
+    });
+
+    app.get("//test", (_req, res) => {
+      res.send("double slash test Page!");
+    });
+
+    app.get("///test/crazy//slasher", (_req, res) => {
+      res.send("crazy slasher");
+    });
+
+    server = app.listen(port);
+  });
+
+  const get = async (url) => {
+    return await (await fetch(`http://localhost:${port}${url}`)).text();
+  };
+
+  it("establish what the correct behavior is", async () => {
+    expect(await get("")).toBe("Hello World!");
+    expect(await get("/test")).toBe("Test Page!");
+    expect(await get("//test")).toBe("double slash test Page!");
+    expect(await get("/test/foo")).toContain("Test Foo Page!");
+    expect(await get("/test//foo")).toContain("Cannot GET /test//foo");
+    expect(await get("///test/crazy//slasher")).toBe("crazy slasher");
+  });
+
+  let proxy, httpServer;
+  let proxyPort;
+  it("create a proxy server", async () => {
+    proxy = createServer();
+    proxy.on("error", (err, _req, res) => {
+      console.error("Proxy error:", err);
+      res.end("Something went wrong.");
+    });
+    httpServer = http.createServer((req, res) => {
+      const target = `http://localhost:${port}`;
+      proxy.web(req, res, { target });
+    });
+
+    proxyPort = await getPort();
+    httpServer.listen(proxyPort);
+  });
+
+  const getProxy = async (url) => {
+    return await (await fetch(`http://localhost:${proxyPort}${url}`)).text();
+  };
+
+  it("get using the proxy instead -- the behavior is identical to directly using the server", async () => {
+    expect(await getProxy("")).toBe("Hello World!");
+    expect(await getProxy("/test")).toBe("Test Page!");
+    expect(await getProxy("//test")).toBe("double slash test Page!");
+    expect(await getProxy("/test/foo")).toContain("Test Foo Page!");
+    expect(await getProxy("/test//foo")).toContain("Cannot GET /test//foo");
+    expect(await getProxy("///test/crazy//slasher")).toBe("crazy slasher");
+  });
+
+  it("clean up", () => {
+    server.close();
+    httpServer.close();
+  });
+});

package.json

@@ -1,6 +1,6 @@
 {
   "name": "http-proxy-3",
-  "version": "1.20.5",
+  "version": "1.20.6",
   "repository": {
     "type": "git",
     "url": "https://github.com/sagemathinc/http-proxy-3.git"
@@ -13,7 +13,11 @@
     "jcrugzz <jcrugzz@gmail.com>"
   ],
   "main": "dist/lib/index.js",
-  "files": ["dist/lib/http-proxy", "dist/lib/index.js", "dist/lib/index.d.ts"],
+  "files": [
+    "dist/lib/http-proxy",
+    "dist/lib/index.js",
+    "dist/lib/index.d.ts"
+  ],
   "dependencies": {
     "debug": "^4.4.0",
     "follow-redirects": "^1.15.9"
@@ -32,6 +36,7 @@
     "connect": "^3.7.0",
     "eventsource": "^3.0.7",
     "expect.js": "~0.3.1",
+    "express": "^5.1.0",
     "get-port": "^7.1.0",
     "https-proxy-agent": "^7.0.6",
     "jest": "^29.7.0",