[mirotalksfu] - fix open redirect

app/src/Server.js

@@ -58,7 +58,7 @@ dev dependencies: {
  * @license For commercial or closed source, contact us at license.mirotalk@gmail.com or purchase directly via CodeCanyon
  * @license CodeCanyon: https://codecanyon.net/item/mirotalk-sfu-webrtc-realtime-video-conferences/40769970
  * @author  Miroslav Pejic - miroslav.pejic.85@gmail.com
- * @version 1.7.26
+ * @version 1.7.27
  *
  */
 
@@ -408,7 +408,7 @@ function startServer() {
 
     // Remove trailing slashes in url handle bad requests
     app.use((err, req, res, next) => {
-        if (err instanceof SyntaxError || err.status === 400 || 'body' in err) {
+        if (err && (err instanceof SyntaxError || err.status === 400 || 'body' in err)) {
             log.error('Request Error', {
                 header: req.headers,
                 body: req.body,
@@ -416,12 +416,19 @@ function startServer() {
             });
             return res.status(400).send({ status: 404, message: err.message }); // Bad request
         }
-        if (req.path.substr(-1) === '/' && req.path.length > 1) {
-            let query = req.url.slice(req.path.length);
-            res.redirect(301, req.path.slice(0, -1) + query);
-        } else {
-            next();
+
+        // Prevent open redirect attacks by checking if the path is an external domain
+        const cleanPath = req.path.replace(/^\/+/, '');
+        if (/^([a-zA-Z0-9-]+\.)+[a-zA-Z]{2,}/.test(cleanPath)) {
+            return res.status(400).send('Bad Request: Potential Open Redirect Detected');
         }
+
+        if (req.path.endsWith('/') && req.path.length > 1) {
+            let query = req.url.substring(req.path.length).replace(/\/$/, ''); // Ensure query params don't end in '/'
+            return res.redirect(301, req.path.slice(0, -1) + query);
+        }
+
+        next();
     });
 
     // OpenID Connect - Dynamically set baseURL based on incoming host and protocol