Open Redirect in ionicabizau/git-up

Valid

Reported on

Jul 10th 2021


✍️ Description

git-up improperly handles the user input such as https:/\ and interprets it as a relative path. Backslashes after the protocol are accepted by browsers and treated as normal slashes, but git-up reads them as the relative path, which could lead to SSRF, open redirects, or other unintended behavior.

🕵️‍♂️ Proof of Concept

// POC.js

var gitUp = require("git-up");

console.log(gitUp("https:/\github.com/IonicaBizau/node-parse-url.git"));

As I tested it on runkit where you can see it in action where you will see the current output:

protocol: "ssh"
port: null
resource: "https"
user: ""
pathname: "/github.com/IonicaBizau/node-parse-url.git"
hash: ""
search: ""
href: "https:/github.com/IonicaBizau/node-parse-url.git"

As you can see it interpreted the whole URL after \ as a relative path.

💥 Impact

based on the application, usage bypasses for SSRF, open redirection, and other unintended behavior

Similar CVE reports

CVE-2021-27515, CVE-2021-27516, huntr.dev report

We have contacted a member of the ionicabizau/git-up team and are waiting to hear back a year ago
x3rz modified the report
a year ago
x3rz modified the report
a year ago
x3rz
a year ago

Researcher


any updates?

Ionică Bizău (Johnny B.) validated this vulnerability a year ago
x3rz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ionică
a year ago

Maintainer


Thank you for reporting this. A fix is welcome indeed!

Ionică Bizău (Johnny B.) confirmed that a fix has been merged on 86bd68 2 months ago
Ionică Bizău (Johnny B.) has been awarded the fix bounty
to join this conversation