File: CVE-2020-8124.diff

package info (click to toggle)
node-url-parse 1.2.0-2%2Bdeb10u1
  • links: PTS, VCS
  • area: main
  • in suites: buster
  • size: 392 kB
  • sloc: javascript: 1,682; makefile: 7
file content (93 lines) | stat: -rw-r--r-- 2,578 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
 
Description: Fix CVE 2020-8124
 Insufficient validation and sanitization of user input exists in url-parse
 npm package version 1.4.4 and earlier may allow attacker to bypass security
 checks.
Author: Arnout Kazemier <info@3rd-Eden.com>
Origin: upstream, https://github.com/unshiftio/url-parse/commit/3ecd256f
Bug: https://hackerone.com/reports/496293
Forwarded: not-needed
Reviewed-By: Xavier Guimard <yadd@debian.org>
Last-Update: 2020-09-01

--- a/index.js
+++ b/index.js
@@ -2,8 +2,20 @@
 
 var required = require('requires-port')
   , qs = require('querystringify')
+  , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\//
   , protocolre = /^([a-z][a-z0-9.+-]*:)?(\/\/)?([\S\s]*)/i
-  , slashes = /^[A-Za-z][A-Za-z0-9+-.]*:\/\//;
+  , whitespace = '[\\x09\\x0A\\x0B\\x0C\\x0D\\x20\\xA0\\u1680\\u180E\\u2000\\u2001\\u2002\\u2003\\u2004\\u2005\\u2006\\u2007\\u2008\\u2009\\u200A\\u202F\\u205F\\u3000\\u2028\\u2029\\uFEFF]'
+  , left = new RegExp('^'+ whitespace +'+');
+
+/**
+ * Trim a given string.
+ *
+ * @param {String} str String to trim.
+ * @public
+ */
+function trimLeft(str) {
+  return (str || '').replace(left, '');
+}
 
 /**
  * These are the parse rules for the URL parser, it informs the parser
@@ -94,6 +106,7 @@
  * @api private
  */
 function extractProtocol(address) {
+  address = trimLeft(address);
   var match = protocolre.exec(address);
 
   return {
@@ -149,6 +162,8 @@
  * @api public
  */
 function URL(address, location, parser) {
+  address = trimLeft(address);
+
   if (!(this instanceof URL)) {
     return new URL(address, location, parser);
   }
@@ -414,6 +429,7 @@
 //
 URL.extractProtocol = extractProtocol;
 URL.location = lolcation;
+URL.trimLeft = trimLeft;
 URL.qs = qs;
 
 module.exports = URL;
--- a/test/test.js
+++ b/test/test.js
@@ -31,6 +31,14 @@
 
   describe('extractProtocol', function () {
     it('extracts the protocol data', function () {
+      assume(parse.extractProtocol('http://example.com')).eql({
+        slashes: true,
+        protocol: 'http:',
+        rest: 'example.com'
+      });
+    });
+
+    it('extracts the protocol data for nothing', function () {
       assume(parse.extractProtocol('')).eql({
         slashes: false,
         protocol: '',
@@ -49,6 +57,15 @@
     });
   });
 
+
+  it('trimsLeft', function () {
+    assume(parse.extractProtocol(' javascript://foo')).eql({
+      slashes: true,
+      protocol: 'javascript:',
+      rest: 'foo'
+    });
+  });
+
   it('parses the query string into an object', function () {
     var url = 'http://google.com/?foo=bar'
       , data = parse(url, true);