Open Redirect in digitalbazaar/forge

Valid

Reported on

Sep 4th 2021


✍️ Description

parseUrl functionality in node-forge mishandles certain uses of backslash such as https:/\/\/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while node-forge sees it as a relative path and leads to URL Redirection to Untrusted Site.

🕵️‍♂️ Proof of Concept

Create the following PoC file:

// poc.js
var forge = require("node-forge");
var url = forge.util.parseUrl("https:/\/\/\www.github.com/foo/bar");
console.log(url);

Execute the following commands in another terminal:

npm i node-forge # Install affected module
node poc.js #  Run the PoC

Check the Output:

{
  full: 'https://',
  scheme: 'https',
  host: '',
  port: 443,
  path: '/www.github.com/foo/bar',                        <<<---- path  should be "/foo/bar"
  fullHost: ''
}

In the above example path should be "/foo/bar" or it should return it as null as per https://github.com/digitalbazaar/forge/blob/c666282c812d6dc18e97b419b152dd6ad98c802c/lib/util.js#L2266

💥 Impact

Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.

Occurences

We created a GitHub Issue asking the maintainers to create a SECURITY.md 5 months ago
We have contacted a member of the digitalbazaar/forge team and are waiting to hear back 5 months ago
digitalbazaar/forge maintainer
23 days ago

Maintainer


The whole forge.util.parseUrl API and other URL related APIs were removed in v1.0.0.

ready-research
23 days ago

Researcher


@maintainer Can you please validate this issue by clicking on Mark as valid. And confirm the fix. Thanks.

ready-research modified their report
23 days ago
digitalbazaar/forge maintainer validated this vulnerability 23 days ago
ready-research has been awarded the disclosure bounty
The fix bounty is now up for grabs
digitalbazaar/forge maintainer confirmed that a fix has been merged on db8016 23 days ago
The fix bounty has been dropped
util.js#L2270 has been validated