Security vulnerability in the latest version

[6en6ar]

Hey Tj Telan,

Is there a way for You to contact me regarding a security vulnerability I discovered, so I can report it to You privately, or if You can give me your contact.

Thank You

[tjtelan]

Hi @6en6ar, thanks for bringing a security vulnerability to my attention.

While I understand your initial request to discuss it privately, I encourage you to share the specifics openly within the issue. If you have any specific reasons for wanting to discuss privately, please let me know.

In order to address it effectively, it would be really helpful if you could provide more details directly in the GitHub issue. This way, we can have a clear understanding of the issue and work towards finding a solution together.

[6en6ar]

Hey. Thank You for responding.

The regex "^\S+(@)\S+(:).*$" on line 396. in lib.rs that searches for the file or ssh scheme inside an url is vulnerable to a Regex denial of service attack when a malicious input is provided to the nomalize_url function. Continuous searching for @ and : when a large input is provided causes the function to hang and the error out.

The payload I used was:
std::iter::repeat("g@1::::").take(5000).collect::();
std::iter::repeat(":").take(5000).collect::();