> NOTE! Thanks for submitting a report! Please replace all the [square] sections below with the pertinent details. Remember, the more detail you provide, the easier it is for us to triage and respond quickly, so be sure to take your time filling out the report!

I would like to report Improper Validation and Sanitization in url-parse.

It allows attacker-controlled URL values to bypass validation and sanitization.

Module

module name: url-parseversion:1.4.4npm page: https://www.npmjs.com/package/url-parse

Module Description

The url-parse method exposes two different API interfaces. The url interface that you know from Node.js and the new URL interface that is available in the latest browsers.

Module Stats

> Replace stats below with numbers from npm’s module page:

5,544,078 downloads in the last week

Vulnerability

Vulnerability Description

When using url-parse in the browser the protocol of the URL returned by the parser is not validated correctly. In the Node.js environment strings like, javascript: return and empty string on the resulting URL object, but in the browser the current document.location.protocol is used when the provided URL doesn’t match the validation expression /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\S\s]*)/i.

Steps To Reproduce:

Add the following test to test/test.js and run npm run test-browser.

assume(parse.extractProtocol(’ javscript:')).eql({
slashes: false,
protocol: ‘’,
rest: ‘’
})

Wrap up

Line 199 in index.js is setting the protocol to location.protocol, this is probably not the right move.

url protocol = extracted.protocol || location.protocol || ‘’;

> Select Y or N for the following statements:

• I contacted the maintainer to let them know: [Y]
• I opened an issue in the related repository: [N]

Impact

Bypass input sanitization and validation.