Protocol/Hostname spoofing via Improper Input Validation in medialize/uri.js

Valid

Reported on

Feb 27th 2022

Description

The uri.js doesn't remove whitespace characters from the beginning of the protocol, so it doesn't parse URLs properly. Several methods, including http.get(), location.href, and fetch(), strip the whitespace character in front of the protocol before sending the request.

Proof of Concept

const url = require('urijs');
console.log(new url("\bhttp://google.com"))
// console.log(new url("\bjavascript:alert(1)"))

output

URI {
  _string: '',
  _parts: {
    protocol: undefined,
    username: null,
    password: null,
    hostname: null,
    urn: null,
    port: null,
    path: '\bhttp://google.com',
    query: null,
    fragment: null,
    preventInvalidHostname: false,
    duplicateQueryParameters: false,
    escapeQuerySpace: true
  },
  _deferred_build: true
}

Mitigation

function remove_whitespace(url){
     const whitespace = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/;
     url = url.replace(whitespace, '')
     return url
}

Write and use a function to remove white space characters as above.

We are processing your report and will contact the medialize/uri.js team within 24 hours. 2 years ago
Pocas modified the report
2 years ago
Pocas modified the report
2 years ago
We have contacted a member of the medialize/uri.js team and are waiting to hear back 2 years ago
We have sent a follow up to the medialize/uri.js team. We will try again in 7 days. 2 years ago
Rodney Rehm validated this vulnerability 2 years ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Rodney Rehm marked this as fixed in 1.19.9 with commit 86d105 2 years ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Rodney Rehm
2 years ago

Maintainer

https://github.com/medialize/URI.js/releases/tag/v1.19.9 contains the fix, thanks for the report!

to join this conversation