Authorization Bypass Through User-Controlled Key in NPM url-parse prior to 1.5.7 (17th Feb 2022)

Preface: The DOMParser interface provides the ability to parse XML or HTML source code from a string into a DOM Document .
A module that parses a string as regular expression and returns the parsed value. it is the regular expression solution.

Background: The “url-parse” was created in 2014 when the WHATWG URL API was not available in Node.js and the URL interface was supported only in some browsers. As times goes by, the “url-parse” method exposes two different API interfaces nowadays. It is the url interface from Node.js and the new URL interface that is available in the latest browsers.

In version 1.0.0, url-parse module decide not relies on the RegExp based solution in favor of a pure string parsing solution which chops up the URL into smaller pieces. To parse an URL simply call the URL method with the URL that needs to be transformed into an object.

Vulnerability details: Vulnerability details: Url-parse is not able to verify broken protocol. If a specify host included in blacklist check (refer to attached diagram for details). This will allow to bypass hostname validation when hostname check equals null.

Official announcement: If the userinfo is present but empty, the parsed host is also empty, and url[.]pathname is not '/', then readd the empty userinfo to url[.]href, otherwise the original invalid URL might be transformed into a valid one with url[.]pathname as host. See the link for details – https://github.com/unshiftio/url-parse/commit/ef45a1355375a8244063793a19059b4f62fc8788

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.