url: avoid hostname spoofing w/ javascript protocol
CVE-2018-12123 Fixes: https://github.com/nodejs-private/security/issues/205 PR-URL: https://github.com/nodejs-private/node-private/pull/145 Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Anna Henningsen <anna@addaleax.net>
This commit is contained in:
parent
ee618a7ab2
commit
b77f699a84
@ -267,13 +267,13 @@ Url.prototype.parse = function parse(url, parseQueryString, slashesDenoteHost) {
|
|||||||
if (slashesDenoteHost || proto || hostPattern.test(rest)) {
|
if (slashesDenoteHost || proto || hostPattern.test(rest)) {
|
||||||
var slashes = rest.charCodeAt(0) === CHAR_FORWARD_SLASH &&
|
var slashes = rest.charCodeAt(0) === CHAR_FORWARD_SLASH &&
|
||||||
rest.charCodeAt(1) === CHAR_FORWARD_SLASH;
|
rest.charCodeAt(1) === CHAR_FORWARD_SLASH;
|
||||||
if (slashes && !(proto && hostlessProtocol[proto])) {
|
if (slashes && !(proto && hostlessProtocol[lowerProto])) {
|
||||||
rest = rest.slice(2);
|
rest = rest.slice(2);
|
||||||
this.slashes = true;
|
this.slashes = true;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!hostlessProtocol[proto] &&
|
if (!hostlessProtocol[lowerProto] &&
|
||||||
(slashes || (proto && !slashedProtocol[proto]))) {
|
(slashes || (proto && !slashedProtocol[proto]))) {
|
||||||
|
|
||||||
// there's a hostname.
|
// there's a hostname.
|
||||||
|
@ -890,6 +890,39 @@ const parseTests = {
|
|||||||
pathname: '/*',
|
pathname: '/*',
|
||||||
path: '/*',
|
path: '/*',
|
||||||
href: 'https:///*'
|
href: 'https:///*'
|
||||||
|
},
|
||||||
|
|
||||||
|
// The following two URLs are the same, but they differ for
|
||||||
|
// a capital A: it is important that we verify that the protocol
|
||||||
|
// is checked in a case-insensitive manner.
|
||||||
|
'javascript:alert(1);a=\x27@white-listed.com\x27': {
|
||||||
|
protocol: 'javascript:',
|
||||||
|
slashes: null,
|
||||||
|
auth: null,
|
||||||
|
host: null,
|
||||||
|
port: null,
|
||||||
|
hostname: null,
|
||||||
|
hash: null,
|
||||||
|
search: null,
|
||||||
|
query: null,
|
||||||
|
pathname: "alert(1);a='@white-listed.com'",
|
||||||
|
path: "alert(1);a='@white-listed.com'",
|
||||||
|
href: "javascript:alert(1);a='@white-listed.com'"
|
||||||
|
},
|
||||||
|
|
||||||
|
'javAscript:alert(1);a=\x27@white-listed.com\x27': {
|
||||||
|
protocol: 'javascript:',
|
||||||
|
slashes: null,
|
||||||
|
auth: null,
|
||||||
|
host: null,
|
||||||
|
port: null,
|
||||||
|
hostname: null,
|
||||||
|
hash: null,
|
||||||
|
search: null,
|
||||||
|
query: null,
|
||||||
|
pathname: "alert(1);a='@white-listed.com'",
|
||||||
|
path: "alert(1);a='@white-listed.com'",
|
||||||
|
href: "javascript:alert(1);a='@white-listed.com'"
|
||||||
}
|
}
|
||||||
};
|
};
|
||||||
|
|
||||||
@ -921,3 +954,25 @@ for (const u in parseTests) {
|
|||||||
assert.strictEqual(actual, expected,
|
assert.strictEqual(actual, expected,
|
||||||
`format(${u}) == ${u}\nactual:${actual}`);
|
`format(${u}) == ${u}\nactual:${actual}`);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
{
|
||||||
|
const parsed = url.parse('http://nodejs.org/')
|
||||||
|
.resolveObject('jAvascript:alert(1);a=\x27@white-listed.com\x27');
|
||||||
|
|
||||||
|
const expected = Object.assign(new url.Url(), {
|
||||||
|
protocol: 'javascript:',
|
||||||
|
slashes: null,
|
||||||
|
auth: null,
|
||||||
|
host: null,
|
||||||
|
port: null,
|
||||||
|
hostname: null,
|
||||||
|
hash: null,
|
||||||
|
search: null,
|
||||||
|
query: null,
|
||||||
|
pathname: "alert(1);a='@white-listed.com'",
|
||||||
|
path: "alert(1);a='@white-listed.com'",
|
||||||
|
href: "javascript:alert(1);a='@white-listed.com'"
|
||||||
|
});
|
||||||
|
|
||||||
|
assert.deepStrictEqual(parsed, expected);
|
||||||
|
}
|
||||||
|
Loading…
x
Reference in New Issue
Block a user