Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] More backslash fixes #197

Merged
merged 1 commit into from
Feb 17, 2021
Merged

[security] More backslash fixes #197

merged 1 commit into from
Feb 17, 2021

Conversation

3rd-Eden
Copy link
Member

As per title, it seems that the previous security fix released in 1.4.5 only partially fixed the issue, with this adjustment to the regular expression we now have parity with the browser built-in URL parser as well. This change also exposed an issue where we didn't default pathnames to / when nothing was supplied in URL's.

That should now be resolved as well.

@3rd-Eden 3rd-Eden merged commit d1e7e88 into master Feb 17, 2021
@3rd-Eden 3rd-Eden deleted the even-less-backslash branch February 17, 2021 15:17
assume(parsed.hostname).equals('github.com');
assume(parsed.pathname).equals('/foo/bar');

url = 'https:/\/\/\github.com/foo/bar';
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@3rd-Eden did you mean /\\/\\/\\ here? 3 characters are currently unnecessarily escaped.

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's just testing that literally any slash (forward/backward) or combination of both is allowed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ok, then it should be url = 'https:/\\/\\/\\github.com/foo/bar'.

// to always have a /
//
if (url.pathname.charAt(0) !== '/' && url.hostname) {
url.pathname = '/' + url.pathname;

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This cause break change, see below demo code:

// assume this code exec in page http://cone-cf8b5c0e.app-dev.alipay.net/cone/strategy
const { pathname} = url('/cone/operate');

This PR cause pathname change from 'cone/operate' to '/cone/cone/operate'

debugger snapshot:
input:
image

output:
image

i don't know of pass '/cone/operate' is a valid argument, if no, i think throw error is a better way

Copy link
Member Author

@3rd-Eden 3rd-Eden Feb 18, 2021

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could you create an issue about this so we can track it? We do known issue with relative paths atm see #200 so it might be related to this bug.

@abergmann
Copy link

CVE-2021-27515 was assigned to this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants