stop gap for open redirect (#22839)

Author: rachmari

lib/patterns.js

@@ -28,7 +28,7 @@ export const hasLiquid = /[{{][{%]/
 export const dataReference = /{% ?data\s(?:early-access\.)?(?:reusables|variables|ui)\..*?%}/gm
 export const imagePath = /\/?assets\/images\/.*?\.(png|svg|gif|pdf|ico|jpg|jpeg)/gi
 export const homepagePath = /^\/\w{2}$/ // /en, /ja /cn
-export const multipleSlashes = /^\/{2,}/
+export const multipleSlashes = /^(\/|\\){2,}/
 export const assetPaths = /\/(?:javascripts|stylesheets|assets|node_modules|dist|_next)\//
 export const oldApiPath = /\/v[34]\/(?!guides|overview).+?\/.+/
 export const staticRedirect = /<link rel="canonical" href="(.+?)">/

tests/routing/middleware/redirects/help-to-docs.js

@@ -83,4 +83,19 @@ describe('help.github.com redirect middleware', () => {
       `<p>Moved Permanently. Redirecting to <a href="${expectedRedirect}">${expectedRedirect}</a></p>`
     )
   })
+
+  it('only redirects to a docs.github.com path backlash edition', async () => {
+    const req = {
+      hostname: 'help.github.com',
+      protocol: 'https',
+      originalUrl: '/\\evil.com',
+    }
+    const res = new MockExpressResponse()
+    const next = jest.fn()
+    await middleware(req, res, next)
+    const expectedRedirect = 'https://docs.github.com/evil.com'
+    expect(res._getString()).toEqual(
+      `<p>Moved Permanently. Redirecting to <a href="${expectedRedirect}">${expectedRedirect}</a></p>`
+    )
+  })
 })