Open Redirect in ionicabizau/parse-url

Valid

Reported on

Mar 9th 2022


Description

parse-url parses the url as https://google.com::/test, and if two or more colons are inserted in the port part, the port is parsed as one hostname.

- node - url.parse()

❯ node -e 'console.log(require("url").parse("https://google.com::/test"))'
Url {
  protocol: 'https:',
  slashes: true,
  auth: null,
  host: 'google.com',
  port: null,
  hostname: 'google.com',
  hash: null,
  search: null,
  query: null,
  pathname: '/:/test',
  path: '/:/test',
  href: 'https://google.com/:/test'
}

Proof of Concept

❯ node -e 'const parseUrl = require("parse-url"); console.log(parseUrl("https://google.com::/test"))'
{
  protocols: [ 'https' ],
  protocol: 'https',
  port: null,
  resource: 'google.com::',
  user: '',
  pathname: '/test',
  hash: '',
  search: '',
  href: 'https://google.com::/test',
  query: [Object: null prototype] {}
}
We are processing your report and will contact the ionicabizau/parse-url team within 24 hours. 5 months ago
Pocas modified the report
5 months ago
We have contacted a member of the ionicabizau/parse-url team and are waiting to hear back 5 months ago
Pocas modified the report
5 months ago
Pocas modified the report
5 months ago
Ionică Bizău (Johnny B.) validated this vulnerability 5 months ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the ionicabizau/parse-url team. We will try again in 7 days. 5 months ago
Adam Nygate
5 months ago

Admin


Hi Pocas! Without a clearly defined impact, it's unclear if this is a security issue or just a bug.

Adjusting the severity in the meantime...

Pocas
5 months ago

Researcher


일관성이 없는 것이 매우 좋네요 ^^ huntr 탈퇴는 어떻게 합니까?

Pocas
5 months ago

Researcher


I did this with Open Redirect for one reason. Hunter cannot report with the same cwe. Can you change it to cwe-20 and change the severity back to normal? you know?

Pocas
5 months ago

Researcher


Is it the Andromeda version of not being able to report with the same cwe in the first place? Or Mars?

Adam Nygate
5 months ago

Admin


Hi Pocas, I can adjust the CWE if you'd like, but as mentioned the issue here is that the report is not demonstrating a clear security impact, and currently just demonstrates a parsing bug/incompliance with spec.

The maintainer has advised on other reports, that issues like this (where there is not a clearly demonstrated security impact), should be shared on GitHub Issues.

Pocas
5 months ago

Researcher


You can remove the bounty at will, so why didn't you modify url-parse in February? I'm just curious. And I'm not going to get involved with this parser any more. thanks

We have sent a second fix follow up to the ionicabizau/parse-url team. We will try again in 10 days. 5 months ago
We have sent a third and final fix follow up to the ionicabizau/parse-url team. This report is now considered stale. 4 months ago
Ionică Bizău (Johnny B.) confirmed that a fix has been merged on 21c72a 2 months ago
Ionică Bizău (Johnny B.) has been awarded the fix bounty
to join this conversation