-
-
Notifications
You must be signed in to change notification settings - Fork 662
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Incomplete Regular Expression for Hostnames: Unescaped Dot Character #1600
Comments
URL validation - We have requirement for validating URL's (5.1.5), so from the opened issue point of view - URL validation is just done incorrectly and the problem is covered. Regex - If you don't escape data for regex, it's general problem (not host validation specific). I think this is something we should have but without context limitation (like hostname validation). Like in PHP, use function preg_quote when building for regular expressions dynamically. Probably we can combine it with other issue: #1562 |
Thank you for your response. I believe #1562 is fundamentally different. In order to remove context limitation we can have this check: |
But why to put the dot for special spotlight? It may take attention away from others or give an impression, that the dot is the only or at least most important symbol. You need to escape all of them:
|
We can write it more generic like this, the reason that I considered a special place for dot is that I have seen that issue in many clients and an attacker could easily bypass their filters. Verify that the application properly escapes special characters in regular expressions for various input validation tasks |
Probably we can fine-tune it more, but it's a good input and for me good requirement to have in ASVS :) |
Thank you for your feedback! I'm glad that you find the proposed ASVS check valuable. Your input and suggestions have been instrumental in refining the requirement. |
@ImanSharaf what do you think about:
|
Is it written somewhere that slash is the only escape character and it's not up to the configuration? |
Pretty sure slash is the only option: |
For category it waits: #1643 |
@elarlang are you ok for me to create a PR based on:
I would currently put this in 5.2 "Sanitization and Sandboxing" but we can use that other issue #1643 to consider future categorization. |
yes |
Opened #1699 |
There is a vulnerability in some applications where the dot character is not properly escaped in regular expressions designed to validate hostnames. This oversight can lead to bypassing security checks, such as those for preventing attacks like request forgeries and malicious redirections. Incomplete checks may also cause undesirable behaviors when they accidentally succeed.
If an attacker successfully exploits this vulnerability, they may perform unauthorized actions like forging requests or redirecting users to malicious websites. This can lead to a range of security issues, including data breaches, compromised application functionality, and exposing users to additional risks.
Suggested ASVS check:
Verify that the application properly escapes special characters, such as the dot character, in regular expressions used for hostname validation to prevent security threats like request forgeries and malicious redirections.
Sample vulnerable code:
The text was updated successfully, but these errors were encountered: