You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Are you sure this is fully fixed? In restify 8.4.0 (latest), if I modify lib/router.js to revert the fix in commit a015067 (by passing req.url instead of pathname to ResourceNotFoundError), then supply the proof of concept URL above, I get back:
{"code":"ResourceNotFound","message":"/notfound?a=b&c=d%22%3E%3Cscript%3Ealert(73541);%3C/script%3E does not exist"}
Ostensibly, "some browsers will execute" this, although mine (FF 68.0.1) does not.
With the fix applied, the same URL produces:
{"code":"ResourceNotFound","message":"/notfound does not exist"}
But also with the fix, if I merely replace "?" with "/" in the POC URL, I get back:
{"code":"ResourceNotFound","message":"/notfound/a=b&c=d%22%3E%3Cscript%3Ealert(73541);%3C/script%3E does not exist"}
To me, this looks functionally identical to the original, supposedly dangerous response. Could it really be the case that the "some browsers" that will execute the JS in original response will not execute the code in that last response?
Or, said another way: the original fix seems to presume that the "pathname" portion of the URL is safer than the "query" portion, but I don't think that is true. I suspect that either there never was a real bug to begin with, or the purported fix is inadequate.
I tested my restify server with this:
https://localhost:3000/no5_such3_file7.pl?%22%3E%3Cscript%3Ealert(73541);%3C/script%3E
The returned data contains "<script>alert(73541);</script>" which some browsers will execute.
Simple solution is to change the ResourceNotFoundError at the end of the Router.prototype.find to something like this:
callback(new ResourceNotFoundError('%s does not exist', url.parse(req.url).pathname));
The text was updated successfully, but these errors were encountered: