Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[security] More backslash fixes #197

Merged
merged 1 commit into from Feb 17, 2021
Merged

[security] More backslash fixes #197

merged 1 commit into from Feb 17, 2021

Conversation

@3rd-Eden
Copy link
Member

@3rd-Eden 3rd-Eden commented Feb 17, 2021

As per title, it seems that the previous security fix released in 1.4.5 only partially fixed the issue, with this adjustment to the regular expression we now have parity with the browser built-in URL parser as well. This change also exposed an issue where we didn't default pathnames to / when nothing was supplied in URL's.

That should now be resolved as well.

@3rd-Eden 3rd-Eden merged commit d1e7e88 into master Feb 17, 2021
1 of 3 checks passed
1 of 3 checks passed
continuous-integration/travis-ci/pr The Travis CI build failed
Details
continuous-integration/travis-ci/push The Travis CI build failed
Details
coverage/coveralls Coverage remained the same at 100.0%
Details
@3rd-Eden 3rd-Eden deleted the even-less-backslash branch Feb 17, 2021
assume(parsed.hostname).equals('github.com');
assume(parsed.pathname).equals('/foo/bar');

url = 'https:/\/\/\github.com/foo/bar';

This comment has been minimized.

@lpinca

lpinca Feb 17, 2021
Member

@3rd-Eden did you mean /\\/\\/\\ here? 3 characters are currently unnecessarily escaped.

This comment has been minimized.

@3rd-Eden

3rd-Eden Feb 18, 2021
Author Member

It's just testing that literally any slash (forward/backward) or combination of both is allowed.

This comment has been minimized.

@lpinca

lpinca Feb 18, 2021
Member

Ok, then it should be url = 'https:/\\/\\/\\github.com/foo/bar'.

// to always have a /
//
if (url.pathname.charAt(0) !== '/' && url.hostname) {
url.pathname = '/' + url.pathname;

This comment has been minimized.

@paranoidjk

paranoidjk Feb 18, 2021

This cause break change, see below demo code:

// assume this code exec in page http://cone-cf8b5c0e.app-dev.alipay.net/cone/strategy
const { pathname} = url('/cone/operate');

This PR cause pathname change from 'cone/operate' to '/cone/cone/operate'

debugger snapshot:
input:
image

output:
image

i don't know of pass '/cone/operate' is a valid argument, if no, i think throw error is a better way

This comment has been minimized.

@3rd-Eden

3rd-Eden Feb 18, 2021
Author Member

Could you create an issue about this so we can track it? We do known issue with relative paths atm see #200 so it might be related to this bug.

@abergmann
Copy link

@abergmann abergmann commented Feb 22, 2021

CVE-2021-27515 was assigned to this PR.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

4 participants