Protocol/Hostname spoofing via Improper Input Validation in medialize/uri.js

Valid

Reported on

Feb 27th 2022

Description

The uri.js doesn't remove whitespace characters from the beginning of the protocol, so it doesn't parse URLs properly. Several methods, including http.get(), location.href, and fetch(), strip the whitespace character in front of the protocol before sending the request.

Proof of Concept

const url = require('urijs');
console.log(new url("\bhttp://google.com"))
// console.log(new url("\bjavascript:alert(1)"))

output

URI {
  _string: '',
  _parts: {
    protocol: undefined,
    username: null,
    password: null,
    hostname: null,
    urn: null,
    port: null,
    path: '\bhttp://google.com',
    query: null,
    fragment: null,
    preventInvalidHostname: false,
    duplicateQueryParameters: false,
    escapeQuerySpace: true
  },
  _deferred_build: true
}

Mitigation

function remove_whitespace(url){
     const whitespace = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/;
     url = url.replace(whitespace, '')
     return url
}

Write and use a function to remove white space characters as above.

We are processing your report and will contact the medialize/uri.js team within 24 hours. a year ago
Pocas modified the report
a year ago
Pocas modified the report
a year ago
We have contacted a member of the medialize/uri.js team and are waiting to hear back a year ago
We have sent a follow up to the medialize/uri.js team. We will try again in 7 days. a year ago
Rodney Rehm validated this vulnerability a year ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Rodney Rehm marked this as fixed in 1.19.9 with commit 86d105 a year ago
The fix bounty has been dropped
This vulnerability will not receive a CVE
Rodney Rehm
a year ago

Maintainer

https://github.com/medialize/URI.js/releases/tag/v1.19.9 contains the fix, thanks for the report!

to join this conversation