> NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!
I would like to report Improper Validation and Sanitization in url-parse.
It allows attacker-controlled URL values to bypass validation and sanitization.
module name: url-parseversion:1.4.4npm page: https://www.npmjs.com/package/url-parse
The url-parse method exposes two different API interfaces. The url interface that you know from Node.js and the new URL interface that is available in the latest browsers.
> Replace stats below with numbers from npm’s module page:
5,544,078 downloads in the last week
When using url-parse in the browser the protocol of the URL returned by the parser is not validated correctly. In the Node.js environment strings like, javascript:
return and empty string on the resulting URL object, but in the browser the current document.location.protocol
is used when the provided URL doesn’t match the validation expression /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\S\s]*)/i
.
Add the following test to test/test.js
and run npm run test-browser
.
assume(parse.extractProtocol(’ javscript:')).eql({
slashes: false,
protocol: ‘’,
rest: ‘’
})
Line 199 in index.js is setting the protocol to location.protocol, this is probably not the right move.
url protocol = extracted.protocol || location.protocol || ‘’;
> Select Y or N for the following statements:
Bypass input sanitization and validation.