Normalize URL handling #796

timokoessler · 2025-10-30T15:16:44Z

We always want to use the full absolute URL including the host and different formats depending on the framework.
We also want to respect proxy headers if the proxy is trusted.

node:http Server ✅
node:http2 Server ✅
Express ✅
Hono ✅
Fastify ✅
Koa ✅
Hapi ✅
Restify ✅

We also need to add the path to the context!! ✅

Summary by Aikido

Security Issues: 0	🔍 Quality Issues: 13	Resolved Issues: 0

🚀 New Features

Added helper getRawRequestPath to extract path from raw URLs.

⚡ Enhancements

Normalized URL handling across frameworks and added urlPath field.
Replaced framework-specific URL assembly with centralized getRequestUrl usage.
Updated tests to expect absolute URLs and respect forwarded host.

🔧 Refactors

Added urlPath to SOURCES and propagated through Context and runtime.

^{More info}

codecov · 2025-10-31T16:15:51Z

Codecov Report

❌ Patch coverage is 94.64286% with 12 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
library/helpers/getRequestUrl.ts	96.29%	1 Missing and 2 partials ⚠️
library/helpers/getRequestUrlFromStream.ts	96.55%	0 Missing and 2 partials ⚠️
library/sources/hono/getRawRequest.ts	85.71%	0 Missing and 2 partials ⚠️
...ary/sources/http-server/http2/contextFromStream.ts	75.00%	2 Missing ⚠️
library/helpers/getRawRequestPath.ts	95.45%	1 Missing ⚠️
library/sources/hapi/contextFromRequest.ts	85.71%	1 Missing ⚠️
library/sources/http-server/contextFromRequest.ts	75.00%	1 Missing ⚠️

📢 Thoughts on this report? Let us know!

library/helpers/getRawRequestPath.ts

library/sources/hono/contextFromRequest.ts

library/sources/restify/contextFromRequest.ts

library/sources/koa/contextFromRequest.ts

library/sources/express/contextFromRequest.ts

library/sources/fastify/contextFromRequest.ts

library/sources/hapi/contextFromRequest.ts

library/sources/hono/getRemoteAddress.ts

library/helpers/getRequestUrl.ts

…url-handling * 'main' of github.com:AikidoSec/node-RASP: (403 commits) Add length check Format code Disable Prisma instrumentation if event-based logging is used Add failing test for Prisma usage with event logging enabled Add comments for source types Format code Add some more cases Add another test case Assume CJS by default for injection detection Fix Network.contains() bug Create a method on IPMatcher Reduce diff Simplify isPrivateIP Use atomic assignments Use IPMatcher.add() instead of constructor Use addIPv4MappedAddresses for imds and isPrivateIP Remove bracket format from comment Add some spacing Be more explicit Add some spacing ...

library/sources/Koa.tests.ts

library/sources/Express.tests.ts

The agent is re-used for all tests, so it sees the requests from other test cases.

This reverts commit 2a6e68f.

Error: Failed to build: [baseline-browser-mapping] The data in this module is over two months old. To ensure accurate Baseline data, please update: `npm i baseline-browser-mapping@latest -D`

timokoessler · 2026-01-29T14:09:41Z

@hansott your changes look good to me, thanks!

timokoessler added 6 commits October 30, 2025 16:12

Normalize URL handling

c8707fa

Add url path to context

97981a2

Path url behavior for more frameworks

a20a0e4

Fix build & linting

33fc41d

Merge branch 'main' into normalize-url-handling

510b748

Add tests and change behavior for some frameworks

d130d36

Support HTTP2 streams

e314675

timokoessler marked this pull request as ready for review October 31, 2025 16:41

aikido-pr-checks bot reviewed Oct 31, 2025

View reviewed changes

library/helpers/getRawRequestPath.ts Show resolved Hide resolved

timokoessler added 4 commits October 31, 2025 17:47

Fix Hono test

f048b54

Fix PR comments

cd03f1f

Fixes

43696e4

Improve test coverage

60c54e8