Open Redirect in ionicabizau/parse-url
Reported on
Mar 9th 2022
Description
parse-url parses the url as https://google.com::/test, and if two or more colons are inserted in the port part, the port is parsed as one hostname.
- node - url.parse()
❯ node -e 'console.log(require("url").parse("https://google.com::/test"))'
Url {
protocol: 'https:',
slashes: true,
auth: null,
host: 'google.com',
port: null,
hostname: 'google.com',
hash: null,
search: null,
query: null,
pathname: '/:/test',
path: '/:/test',
href: 'https://google.com/:/test'
}
Proof of Concept
❯ node -e 'const parseUrl = require("parse-url"); console.log(parseUrl("https://google.com::/test"))'
{
protocols: [ 'https' ],
protocol: 'https',
port: null,
resource: 'google.com::',
user: '',
pathname: '/test',
hash: '',
search: '',
href: 'https://google.com::/test',
query: [Object: null prototype] {}
}
Hi Pocas! Without a clearly defined impact, it's unclear if this is a security issue or just a bug.
Adjusting the severity in the meantime...
I did this with Open Redirect for one reason. Hunter cannot report with the same cwe. Can you change it to cwe-20 and change the severity back to normal? you know?
Is it the Andromeda version of not being able to report with the same cwe in the first place? Or Mars?
Hi Pocas, I can adjust the CWE if you'd like, but as mentioned the issue here is that the report is not demonstrating a clear security impact, and currently just demonstrates a parsing bug/incompliance with spec.
The maintainer has advised on other reports, that issues like this (where there is not a clearly demonstrated security impact), should be shared on GitHub Issues.
You can remove the bounty at will, so why didn't you modify url-parse in February? I'm just curious. And I'm not going to get involved with this parser any more. thanks