fix: whitelist safe characters in trailing-slash rewrite to prevent open redirect

nginx.conf

@@ -36,10 +36,11 @@ server {
 
     # remove trailing slashes from all URLs (except root /)
     # exact match locations (e.g., location = /sdk/js/) take priority over this regex
-    # [^\\\\] excludes backslashes to prevent open redirect: nginx decodes %5C to \ in $uri,
-    # and \ in the Location header gets normalized to / by browsers, turning /\evil.com
-    # into the protocol-relative URL //evil.com which redirects to evil.com.
-    location ~ ^([^\\\\]+)/$ {
+    # Only match URIs composed of safe characters (letters, digits, dots, hyphens,
+    # underscores, forward slashes). This prevents open redirect via %5C (backslash):
+    # nginx decodes %5C to \ in $uri, and \ in the Location header gets normalized
+    # to / by browsers, turning /\evil.com into //evil.com (protocol-relative URL).
+    location ~ ^(/[a-zA-Z0-9][a-zA-Z0-9_./-]*)/$ {
         rewrite ^(.+)/$ $1$is_args$args? redirect;
     }