Protocol/Hostname spoofing via Improper Input Validation in medialize/uri.js

Valid

Reported on

Feb 27th 2022


Description

The uri.js doesn't remove whitespace characters from the beginning of the protocol, so it doesn't parse URLs properly. Several methods, including http.get(), location.href, and fetch(), strip the whitespace character in front of the protocol before sending the request.

Proof of Concept

const url = require('urijs');
console.log(new url("\bhttp://google.com"))
// console.log(new url("\bjavascript:alert(1)"))

output

URI {
  _string: '',
  _parts: {
    protocol: undefined,
    username: null,
    password: null,
    hostname: null,
    urn: null,
    port: null,
    path: '\bhttp://google.com',
    query: null,
    fragment: null,
    preventInvalidHostname: false,
    duplicateQueryParameters: false,
    escapeQuerySpace: true
  },
  _deferred_build: true
}

Mitigation

function remove_whitespace(url){
     const whitespace = /^[\x00-\x20\u00a0\u1680\u2000-\u200a\u2028\u2029\u202f\u205f\u3000\ufeff]+/;
     url = url.replace(whitespace, '')
     return url
}

Write and use a function to remove white space characters as above.

We are processing your report and will contact the medialize/uri.js team within 24 hours. 4 months ago
Pocas modified the report
4 months ago
Pocas modified the report
4 months ago
We have contacted a member of the medialize/uri.js team and are waiting to hear back 4 months ago
We have sent a follow up to the medialize/uri.js team. We will try again in 7 days. 4 months ago
Rodney Rehm validated this vulnerability 4 months ago
Pocas has been awarded the disclosure bounty
The fix bounty is now up for grabs
Rodney Rehm confirmed that a fix has been merged on 86d105 4 months ago
The fix bounty has been dropped
Rodney Rehm
4 months ago

Maintainer


https://github.com/medialize/URI.js/releases/tag/v1.19.9 contains the fix, thanks for the report!

to join this conversation