fix: do not follow redirect if scheme is not an HTTP(S) scheme

Author: jacob-ebey

.changeset/healthy-buckets-drum.md

@@ -0,0 +1,5 @@
+---
+"@remix-run/web-fetch": patch
+---
+
+If locationURL’s scheme is not an HTTP(S) scheme, then return a network error. https://fetch.spec.whatwg.org/#http-redirect-fetch

packages/fetch/src/fetch.js

@@ -180,6 +180,14 @@ async function fetch(url, options_ = {}) {
 							return;
 						}
 
+						// https://fetch.spec.whatwg.org/#http-redirect-fetch
+						// 6. If locationURL’s scheme is not an HTTP(S) scheme, then return a network error.
+						if (locationURL.protocol !== 'http:' && locationURL.protocol !== 'https:') {
+							reject(new FetchError('URL scheme must be a HTTP(S) scheme', 'bad-redirect-scheme'));
+							finalize();
+							return;
+						}
+
 						// HTTP-redirect fetch step 6 (counter increment)
 						// Create a new Request object.
 						const requestOptions = {

packages/fetch/test/main.js

@@ -461,6 +461,15 @@ describe("node-fetch", () => {
 		});
 	});
 
+	it("should not follow non HTTP(s) redirect", () => {
+		const url = `${base}redirect/301/file`;
+		const options = {
+		};
+		return expect(fetch(url, options))
+			.to.eventually.be.rejected.and.be.an.instanceOf(FetchError)
+			.and.have.property("type", "bad-redirect-scheme");
+	});
+
 	it("should allow not following redirect", () => {
 		const url = `${base}redirect/301`;
 		const options = {

packages/fetch/test/utils/server.js

@@ -235,6 +235,12 @@ export default class TestServer {
 			res.end();
 		}
 
+		if (p === '/redirect/301/file') {
+			res.statusCode = 301;
+			res.setHeader('Location', 'file://inspect');
+			res.end();
+		}
+
 		if (p === '/redirect/301/rn') {
 			res.statusCode = 301
 			res.setHeader('Location', '/403')