From 69db69b1b5c427d0688297e7b22b6ff99829508b Mon Sep 17 00:00:00 2001
From: Michael Hoffmann <michi@sentry.io>
Date: Mon, 9 Mar 2026 16:08:40 +0100
Subject: [PATCH] fix: Prevent open redirect via double-slash path
 normalization

Hono does not normalize double slashes in URL paths, so a request to
/skills//evil.com produces a redirect to //evil.com, which browsers
interpret as a protocol-relative URL. Use Hono's getPath constructor
option to collapse consecutive slashes at the router level.

Co-Authored-By: Claude <noreply@anthropic.com>

Agent transcript: https://claudescope.sentry.dev/share/oruk15TIx-T3VD9E9APAKG1YnmXoIPJLuv3w7-34jj4
---
 src/index.ts | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/index.ts b/src/index.ts
index 784658e..8b6372b 100644
--- a/src/index.ts
+++ b/src/index.ts
@@ -2,6 +2,7 @@ import { Hono } from "hono";
 import type { Context } from "hono";
 import { serve } from "@hono/node-server";
 import { trimTrailingSlash } from "hono/trailing-slash";
+import { getPath } from "hono/utils/url";
 import type { ContentfulStatusCode } from "hono/utils/http-status";
 
 const BASE = "https://raw.githubusercontent.com/getsentry/sentry-for-ai/refs/heads/main";
@@ -41,7 +42,11 @@ async function proxyText(c: Context, url: string): Promise<Response> {
 }
 
 // App
-const app = new Hono();
+// Hono does not normalize double slashes in paths (https://github.com/honojs/hono/issues/3034),
+// which can lead to open redirects via protocol-relative URLs (e.g. //evil.com).
+const app = new Hono({
+  getPath: (request) => getPath(request).replace(/\/+/g, "/"),
+});
 app.use(trimTrailingSlash({ alwaysRedirect: true }));
 
 app.get("/", (c) => proxyText(c, `${BASE}/SKILL_TREE.md`));