Update dependency urijs to 1.19.6 [SECURITY] #24
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![renovate[bot]](https://avatars.githubusercontent.com/in/2740?s=60&v=4){kind=small}
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
1.19.2->1.19.6GitHub Vulnerability Alerts
CVE-2020-26291
Impact
If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash (
\) character followed by an at (@) character. If the hostname is used in security decisions, the decision may be incorrect.Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
Example URL:
https://expected-example.com\@​observed-example.comEscaped string:
https://expected-example.com\\@​observed-example.com(JavaScript strings must escape backslash)Affected versions incorrectly return
observed-example.com. Patched versions correctly returnexpected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.Patches
Version 1.19.4 is patched against all known payload variants. Version 1.19.3 has a partial patch but is still vulnerable to a payload variant.
References
https://github.com/medialize/URI.js/releases/tag/v1.19.4 (complete fix for this bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.3 (partial fix for this bypass)
PR #233 (initial fix for backslash handling)
For more information
If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js
Reporter credit
Alesandro Ortiz
CVE-2021-27516
Impact
If using affected versions to determine a URL's hostname, the hostname can be spoofed by using a backslash (
\) character as part of the scheme delimiter, e.g.scheme:/\hostname. If the hostname is used in security decisions, the decision may be incorrect.Depending on library usage and attacker intent, impacts may include allow/block list bypasses, SSRF attacks, open redirects, or other undesired behavior.
Example URL:
https:/\expected-example.com/pathEscaped string:
https:/\\expected-example.com/path(JavaScript strings must escape backslash)Affected versions incorrectly return no hostname. Patched versions correctly return
expected-example.com. Patched versions match the behavior of other parsers which implement the WHATWG URL specification, including web browsers and Node's built-in URL class.Patches
Version 1.19.6 is patched against all known payload variants.
References
https://github.com/medialize/URI.js/releases/tag/v1.19.6 (fix for this particular bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.4 (fix for related bypass)
https://github.com/medialize/URI.js/releases/tag/v1.19.3 (fix for related bypass)
PR #233 (initial fix for backslash handling)
For more information
If you have any questions or comments about this advisory, open an issue in https://github.com/medialize/URI.js
Reporter credit
Yaniv Nizry from the CxSCA AppSec team at Checkmarx
Configuration
📅 Schedule: "" (UTC).
🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻️ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR has been generated by WhiteSource Renovate. View repository job log here.