New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Improving the urls
to not break protocols and adding tests
#3995
Improving the urls
to not break protocols and adding tests
#3995
Conversation
…he utils Signed-off-by: iifawzi <iifawzie@gmail.com>
This's my first contribution, I might not be aware of the folder structure decisions that was taken while ago, but I think it would make the code more organized if all the tests are under a separate directory, |
Signed-off-by: iifawzi <iifawzie@gmail.com>
Signed-off-by: iifawzi <iifawzie@gmail.com>
Javascript pseudo protocol does not require the // Co-authored-by: Tom Moor <tom.moor@gmail.com>
Signed-off-by: iifawzi <iifawzie@gmail.com>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a few code style nitpicks!
Co-authored-by: Apoorv Mishra <apoorvmishra101092@gmail.com>
Co-authored-by: Apoorv Mishra <apoorvmishra101092@gmail.com>
Signed-off-by: iifawzi <iifawzie@gmail.com>
Signed-off-by: iifawzi <iifawzie@gmail.com>
Signed-off-by: iifawzi <iifawzie@gmail.com>
@tommoor , I'm aware of a few possible XSS vulnerabilities here. In the file export function isUrl(text: string) {
if (text.match(/\n/)) {
return false;
}
try {
const url = new URL(text);
return url.hostname !== "";
} catch (err) {
return false;
}
} export function sanitizeUrl(url: string | null | undefined) {
if (!url) {
return undefined;
}
if (
(!isUrl(url) &&
!url.startsWith("/") &&
!url.startsWith("#") &&
!url.startsWith("mailto:")) ||
url.startsWith("javascript:") ||
url.startsWith("file:") ||
url.startsWith("vbscript:") ||
url.startsWith("data:")
) {
return `https://${url}`;
}
return url;
} An attacker can easily bypass the filter to generate a url containing the XSS attack payload. jAvascript://%0Aalert(origin)
SolutionUse filter by the URL protocol var blacklist_protocol = ['javascript:', 'file:', 'vbscript:', 'data:']
export function isUrl(text: string) {
if (text.match(/\n/)) {
return false;
}
try {
const url = new URL(text);
return url.hostname !== "" && !blacklist_protocol.includes(url.protocol);
} catch (err) {
return false;
}
} export function sanitizeUrl(url: string | null | undefined) {
if (!url) {
return undefined;
}
if (
(!isUrl(url) &&
!url.startsWith("/") &&
!url.startsWith("#") &&
!url.startsWith("mailto:"))
) {
return `https://${url}`;
}
return url;
} |
Nice catch @vn-ncvinh, it's way better this way. Anyway, if we want to stick with the startsWith way, we can lowercase the urls before checking them. |
If using lowercase, there is still a way to bypass it by using special characters. |
Ahh I see, thank you @vn-ncvinh for clarifying this, my bad. |
I don't think the validator module is doing anything too special, in fact it may also be vulnerable to the use of special characters as a bypass based on this… https://github.com/validatorjs/validator.js/blob/master/src/lib/isURL.js#L84 |
Isn't this fun 😆 |
I'm actually surprised why none of the third party validators leverage |
I don't know about that either. |
I think should add |
Not sure what you mean here? |
These will make it easier to the contact methods. It is similar to the
|
I'm thinking, maybe instead of having a blacklist, we should have |
Although this will be more restrictive it would make more sense to be implemented this way, and legitimate protocols can be added by the time, when people notice it, through the issues/PRs. instead of only sanitizing the forbidden protocols and forgetting some. |
whether to use blacklist or whitelist depends on each specific case. We will prioritize using what is supposed to be the minority, and here is the blacklist. Of the multitude of protocols available, only a few are considered dangerous, and it is easier to list them than to list the rest. |
I think the subsequences of forgetting any dangerous protocol are more dangerous than forgetting any allowed protocol, in the later case, people will notice them easily and will be added accordingly |
So far, only 4 protocols have been deemed dangerous, which can lead to xss. |
@iifawzi in the aim of maintainability let's keep going with the blocklist approach, I don't want to be fielding PR's for eternity for every desktop app possible. |
Signed-off-by: iifawzi <iifawzie@gmail.com>
…ting-dynamic-protocols-fixing-links
Signed-off-by: iifawzi <iifawzie@gmail.com>
inlining the protocols in the same file Co-authored-by: Tom Moor <tom.moor@gmail.com>
Signed-off-by: iifawzi <iifawzie@gmail.com>
Hi, This's my first contribution to this great project, and hopefully not the last one.
This PR should fix #3983
I've also added a bunch of tests, testing the urls utils.
Signed-off-by: iifawzi iifawzie@gmail.com