Paths with multiple slashes /// should be treated as one slash /

[slonka]

What happened?

Right now we're responding with 404 on things like:

curl --location --request PUT 'http://localhost:5681//meshes/new5'

We should collapse the // and respond accordingly.

---

RFC 3986 defines the syntax for Uniform Resource Identifiers (URIs) but does not explicitly state that multiple consecutive slashes in paths should be treated as a single slash. Here's how RFC 3986 addresses this topic:

Path Syntax: Section 3.3 of RFC 3986 defines the path component of a URI and permits consecutive slashes:

path          = path-abempty    ; begins with "/" or is empty
              / path-absolute   ; begins with "/" but not "//"
              / path-noscheme   ; begins with a non-colon segment
              / path-rootless   ; begins with a segment
              / path-empty      ; zero characters

path-abempty  = *( "/" segment )
path-absolute = "/" [ segment-nz *( "/" segment ) ]

This explicitly allows for multiple slashes in the path (e.g., /foo//bar) without stating that they must be treated as equivalent to a single slash.

but it seems to be a common implem:

The behavior of collapsing multiple consecutive slashes into a single slash in URLs is commonly implemented in web servers like Apache and Nginx. This process, known as path normalization, ensures consistent and secure handling of URL paths.

Apache HTTP Server:

In Apache HTTP Server version 2.4.49, a function called ap_normalize_path was introduced to handle path normalization. This function processes incoming URL paths to remove unnecessary components, such as multiple slashes, ensuring a standardized format. However, it's important to note that improper implementation of this function led to vulnerabilities like CVE-2021-41773, highlighting the critical role of path normalization in security. 

Nginx:

Nginx also performs path normalization to manage URL paths effectively. By default, Nginx normalizes URIs, which includes collapsing multiple consecutive slashes into a single slash. This behavior ensures that URLs are processed in a consistent manner, enhancing both security and performance. For instance, in proxy configurations, Nginx normalizes the URI before passing it to the backend server, unless explicitly configured otherwise. 
ECOSTACK

It's important to recognize that while both Apache and Nginx implement path normalization, the specifics can vary between versions and configurations. Administrators should be aware of these behaviors to ensure that URL handling aligns with their application's requirements and security policies.

https://www.hackthebox.com/blog/cve-2021-41773-explained
https://ecostack.dev/posts/nginx-rewrite-path-without-normalizing-uri-using-proxy-pass

[lahabana]

triage: Could be interesting to support however, looks like our http server doesn't do this, it's also the server that k8s uses, if it's a thing that exists on k8s too, we shouldn't bother fixing.

[slonka]

I confirmed that it does not work for k8s API as well :|

curl --cert ./client.crt --key ./client.key -k https://10.43.0.1:443/api/v1/namespaces/default//pods

{
  "kind": "Status",
  "apiVersion": "v1",
  "metadata": {},
  "status": "Failure",
  "message": "the server could not find the requested resource",
  "reason": "NotFound",
  "details": {},
  "code": 404
}