Skip to content

Commit

Permalink
fix(parse): more backslash galore #410
Browse files Browse the repository at this point in the history
issue reported privately by @ready-research via https://huntr.dev/
  • Loading branch information
rodneyrehm committed Jul 11, 2021
1 parent 622db6d commit ac43ca8
Show file tree
Hide file tree
Showing 2 changed files with 346 additions and 0 deletions.
3 changes: 3 additions & 0 deletions src/URI.js
Original file line number Diff line number Diff line change
Expand Up @@ -512,6 +512,9 @@
string = string.substring(0, pos);
}

// slashes and backslashes have lost all meaning for the web protocols (https, http, wss, ws)
string = string.replace(/^(https?|ftp|wss?)?:[/\\]*/, '$1://');

// extract protocol
if (string.substring(0, 2) === '//') {
// relative-scheme
Expand Down
343 changes: 343 additions & 0 deletions test/urls.js
Original file line number Diff line number Diff line change
Expand Up @@ -2131,6 +2131,349 @@ var urls = [{
idn: false,
punycode: false
}
}, {
name: 'backslashes protocol excessive',
url: 'https:/\/\/\attacker.com',
_url: 'https://attacker.com/',
parts: {
protocol: 'https',
username: null,
password: null,
hostname: 'attacker.com',
port: null,
path: '/',
query: null,
fragment: null
},
accessors: {
protocol: 'https',
username: '',
password: '',
port: '',
path: '/',
query: '',
fragment: '',
resource: '/',
authority: 'attacker.com',
origin: 'https://attacker.com',
userinfo: '',
subdomain: '',
domain: 'attacker.com',
tld: 'com',
directory: '/',
filename: '',
suffix: '',
hash: '',
search: '',
host: 'attacker.com',
hostname: 'attacker.com'
},
is: {
urn: false,
url: true,
relative: false,
name: true,
sld: false,
ip: false,
ip4: false,
ip6: false,
idn: false,
punycode: false
}
}, {
name: 'no slash protocol https',
url: 'https:attacker.com',
_url: 'https://attacker.com/',
parts: {
protocol: 'https',
username: null,
password: null,
hostname: 'attacker.com',
port: null,
path: '/',
query: null,
fragment: null
},
accessors: {
protocol: 'https',
username: '',
password: '',
port: '',
path: '/',
query: '',
fragment: '',
resource: '/',
authority: 'attacker.com',
origin: 'https://attacker.com',
userinfo: '',
subdomain: '',
domain: 'attacker.com',
tld: 'com',
directory: '/',
filename: '',
suffix: '',
hash: '',
search: '',
host: 'attacker.com',
hostname: 'attacker.com'
},
is: {
urn: false,
url: true,
relative: false,
name: true,
sld: false,
ip: false,
ip4: false,
ip6: false,
idn: false,
punycode: false
}
}, {
name: 'single slash protocol https',
url: 'https:/attacker.com',
_url: 'https://attacker.com/',
parts: {
protocol: 'https',
username: null,
password: null,
hostname: 'attacker.com',
port: null,
path: '/',
query: null,
fragment: null
},
accessors: {
protocol: 'https',
username: '',
password: '',
port: '',
path: '/',
query: '',
fragment: '',
resource: '/',
authority: 'attacker.com',
origin: 'https://attacker.com',
userinfo: '',
subdomain: '',
domain: 'attacker.com',
tld: 'com',
directory: '/',
filename: '',
suffix: '',
hash: '',
search: '',
host: 'attacker.com',
hostname: 'attacker.com'
},
is: {
urn: false,
url: true,
relative: false,
name: true,
sld: false,
ip: false,
ip4: false,
ip6: false,
idn: false,
punycode: false
}
}, {
name: 'excessive slash protocol https',
url: 'https://////attacker.com',
_url: 'https://attacker.com/',
parts: {
protocol: 'https',
username: null,
password: null,
hostname: 'attacker.com',
port: null,
path: '/',
query: null,
fragment: null
},
accessors: {
protocol: 'https',
username: '',
password: '',
port: '',
path: '/',
query: '',
fragment: '',
resource: '/',
authority: 'attacker.com',
origin: 'https://attacker.com',
userinfo: '',
subdomain: '',
domain: 'attacker.com',
tld: 'com',
directory: '/',
filename: '',
suffix: '',
hash: '',
search: '',
host: 'attacker.com',
hostname: 'attacker.com'
},
is: {
urn: false,
url: true,
relative: false,
name: true,
sld: false,
ip: false,
ip4: false,
ip6: false,
idn: false,
punycode: false
}
}, {
name: 'no slash protocol ftp',
url: 'ftp:attacker.com',
_url: 'ftp://attacker.com/',
parts: {
protocol: 'ftp',
username: null,
password: null,
hostname: 'attacker.com',
port: null,
path: '/',
query: null,
fragment: null
},
accessors: {
protocol: 'ftp',
username: '',
password: '',
port: '',
path: '/',
query: '',
fragment: '',
resource: '/',
authority: 'attacker.com',
origin: 'ftp://attacker.com',
userinfo: '',
subdomain: '',
domain: 'attacker.com',
tld: 'com',
directory: '/',
filename: '',
suffix: '',
hash: '',
search: '',
host: 'attacker.com',
hostname: 'attacker.com'
},
is: {
urn: false,
url: true,
relative: false,
name: true,
sld: false,
ip: false,
ip4: false,
ip6: false,
idn: false,
punycode: false
}
}, {
name: 'single slash protocol ftp',
url: 'ftp:/attacker.com',
_url: 'ftp://attacker.com/',
parts: {
protocol: 'ftp',
username: null,
password: null,
hostname: 'attacker.com',
port: null,
path: '/',
query: null,
fragment: null
},
accessors: {
protocol: 'ftp',
username: '',
password: '',
port: '',
path: '/',
query: '',
fragment: '',
resource: '/',
authority: 'attacker.com',
origin: 'ftp://attacker.com',
userinfo: '',
subdomain: '',
domain: 'attacker.com',
tld: 'com',
directory: '/',
filename: '',
suffix: '',
hash: '',
search: '',
host: 'attacker.com',
hostname: 'attacker.com'
},
is: {
urn: false,
url: true,
relative: false,
name: true,
sld: false,
ip: false,
ip4: false,
ip6: false,
idn: false,
punycode: false
}
}, {
name: 'excessive slash protocol ftp',
url: 'ftp://////attacker.com',
_url: 'ftp://attacker.com/',
parts: {
protocol: 'ftp',
username: null,
password: null,
hostname: 'attacker.com',
port: null,
path: '/',
query: null,
fragment: null
},
accessors: {
protocol: 'ftp',
username: '',
password: '',
port: '',
path: '/',
query: '',
fragment: '',
resource: '/',
authority: 'attacker.com',
origin: 'ftp://attacker.com',
userinfo: '',
subdomain: '',
domain: 'attacker.com',
tld: 'com',
directory: '/',
filename: '',
suffix: '',
hash: '',
search: '',
host: 'attacker.com',
hostname: 'attacker.com'
},
is: {
urn: false,
url: true,
relative: false,
name: true,
sld: false,
ip: false,
ip4: false,
ip6: false,
idn: false,
punycode: false
}
}, {
name: '__proto__ in query',
url: 'http://www.example.org/?__proto__=hasOwnProperty&__proto__=eviltwin&uuid',
Expand Down

0 comments on commit ac43ca8

Please sign in to comment.