Merge commit from fork

GHSA-vrw8-fxc6-2r93

Advisory reported by Anuraag Baishya, @anuraagbaishya. Thank you!

Author: VojtechVitek

middleware/strip.go

@@ -3,6 +3,7 @@ package middleware
 import (
 	"fmt"
 	"net/http"
+	"strings"
 
 	"github.com/go-chi/chi/v5"
 )
@@ -47,13 +48,12 @@ func RedirectSlashes(next http.Handler) http.Handler {
 			path = r.URL.Path
 		}
 		if len(path) > 1 && path[len(path)-1] == '/' {
+			// Trim all leading and trailing slashes (e.g., "//evil.com", "/some/path//")
+			path = "/" + strings.Trim(path, "/")
 			if r.URL.RawQuery != "" {
-				path = fmt.Sprintf("%s?%s", path[:len(path)-1], r.URL.RawQuery)
-			} else {
-				path = path[:len(path)-1]
+				path = fmt.Sprintf("%s?%s", path, r.URL.RawQuery)
 			}
-			redirectURL := fmt.Sprintf("//%s%s", r.Host, path)
-			http.Redirect(w, r, redirectURL, 301)
+			http.Redirect(w, r, path, 301)
 			return
 		}
 		next.ServeHTTP(w, r)

middleware/strip_test.go

@@ -4,7 +4,6 @@ import (
 	"net/http"
 	"net/http/httptest"
 	"net/url"
-	"strings"
 	"testing"
 
 	"github.com/go-chi/chi/v5"
@@ -154,7 +153,7 @@ func TestRedirectSlashes(t *testing.T) {
 			t.Fatal(body, resp.StatusCode)
 		}
 		location := resp.Header.Get("Location")
-		if !strings.HasPrefix(location, "//") || !strings.HasSuffix(location, "/accounts/someuser") {
+		if location != "/accounts/someuser" {
 			t.Fatalf("invalid redirection, should be /accounts/someuser")
 		}
 	}
@@ -166,7 +165,7 @@ func TestRedirectSlashes(t *testing.T) {
 			t.Fatal(body, resp.StatusCode)
 		}
 		location := resp.Header.Get("Location")
-		if !strings.HasPrefix(location, "//") || !strings.HasSuffix(location, "/accounts/someuser?a=1&b=2") {
+		if location != "/accounts/someuser?a=1&b=2" {
 			t.Fatalf("invalid redirection, should be /accounts/someuser?a=1&b=2")
 		}
 	}