Query injection possible in urlRedirects handler

[chrisvltn]

What is the location of your example repository?

No response

Which package or tool is having this issue?

Hydrogen

What version of that package or tool are you using?

2024.7.2

What version of Remix are you using?

2.10.1

Steps to Reproduce

1. Go to a Hydrogen website with URL redirects setup (many stores in the Showcase will have this issue)
2. Go to /a*

Expected Behavior

You see 404 page if no route nor redirect for a* is setup

Actual Behavior

You are redirected to the first redirection that starts with a

---

This happens because we concatenate the URL path to the query here:

hydrogen/packages/hydrogen/src/routing/redirect.ts

Line 64 in 0c1e511

variables: {query: 'path:' + redirectFrom.replace(/\/+$/, '')},

This allows the user to manipulate the Shopify query syntax to query for any other redirect.

A solution for this is to use the Phrase query and wrap the path in double quotes (")

-       variables: {query: 'path:' + redirectFrom.replace(/\/+$/, '')},
+       variables: {query: 'path:"' + redirectFrom.replace(/\/+$/, '') + '"'},