Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Partially escaped URLs should be escaped #509

Merged
merged 1 commit into from Oct 2, 2022
Merged

Partially escaped URLs should be escaped #509

merged 1 commit into from Oct 2, 2022

Conversation

KWkyle
Copy link
Contributor

@KWkyle KWkyle commented Sep 19, 2022

In my opinion, the CVE-2022-25765 issue was caused by partially escaped URLs. They need to be escaped.

def url_needs_escaping?
  URI::DEFAULT_PARSER.unescape(@source) == @source ||
    URI::DEFAULT_PARSER.escape(URI::DEFAULT_PARSER.unescape(@source)) != @source
end

We add an additional condition for method url_needs_escaping? for checking url was a partially escaped URLs or not, by escaped it after unescaped . If the result not matched to source it should be escaped again.

@KWkyle KWkyle changed the title Partially escaped URLs should be excaped Partially escaped URLs should be escaped Sep 19, 2022
@dblanken dblanken mentioned this pull request Sep 19, 2022
Closed
@dblanken
Copy link

@KWkyle Great work and thank you for doing this.

The only thing I wanted to mention here so that it doesn't get missed is if we are doing this, I don't think it's relevant to have the comment provided when invoking inside of pdfkit.rb stating:

# In order to allow for URL parameters (e.g. https://www.google.com/search?q=pdfkit) we do
# not escape the source. The user is responsible for ensuring that no vulnerabilities exist
# in the source. Please see https://github.com/pdfkit/pdfkit/issues/164.

While it's true we should always be responsible, the code is now attempting to take care of vulnerabilities. (A GOOD THING!)

@ChrisNelsonBHG
Copy link

@serene (assuming you're current maintainer of the gem?) wondering if you or any other maintainer have plans to review this?

richardwan
richardwan reviewed Sep 22, 2022
View reviewed changes
lib/pdfkit/source.rb Outdated
Comment on lines 49 to 50
URI::DEFAULT_PARSER.unescape(@source) == @source ||
URI::DEFAULT_PARSER.escape(URI::DEFAULT_PARSER.unescape(@source)) != @source
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

the change on line 50 looks good, but the original condition on line 49 now looks redundant. how confident are we in the test coverage about simply removing line 49 if the specs pass without it?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for the review @richardwan, I've fixed it.

@snaka
Copy link

snaka commented Sep 24, 2022

To make it easier to find the issue, here is a link to the Issue

#507

@serene
Copy link
Contributor

serene commented Sep 26, 2022

Closes #507.

Vivek8079
Vivek8079 approved these changes Sep 27, 2022
View reviewed changes
Copy link

@Vivek8079 Vivek8079 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for this update

@dwagner-evi
Copy link

dwagner-evi commented Sep 27, 2022
edited

can we bump the version too as part of this or is that usually done as a separate PR?

@serene
Copy link
Contributor

serene commented Sep 28, 2022

@dwagner-evi I usually do it as a separate PR

@serene
Copy link
Contributor

serene commented Sep 28, 2022

@KWkyle can you see if you can figure out why the build is broken so we can get this merged?

@dblanken
Copy link

Pretty sure it’s due to using rack 3.0. When I attempted my PR I had to use rack 2 for the tests to run.

@KWkyle
Copy link
Contributor Author

KWkyle commented Sep 28, 2022

Uppercase headers was not allow anymore after rack 3.0 for HTTP/2 spec.

rack/rack#1592

@serene
Copy link
Contributor

serene commented Sep 28, 2022

Opened #511 to fix the build.

@serene
Copy link
Contributor

serene commented Sep 28, 2022

@KWkyle Can you update your fork from master now that the fix has been merged?

@KWkyle
Copy link
Contributor Author

KWkyle commented Sep 29, 2022
edited

@serene Thanks, I've finished it.

@serene serene merged commit 54b4941 into pdfkit:master Oct 2, 2022
@serene serene mentioned this pull request Oct 2, 2022
Closed
@wonda-tea-coffee wonda-tea-coffee mentioned this pull request Oct 3, 2022
Merged
@TrevorKinsie TrevorKinsie mentioned this pull request Oct 3, 2022
Closed
@kiafaldorius kiafaldorius mentioned this pull request Oct 7, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@richardwan richardwan richardwan left review comments

@serene serene serene approved these changes

@Vivek8079 Vivek8079 Vivek8079 approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
8 participants
@KWkyle @dblanken @ChrisNelsonBHG @snaka @serene @dwagner-evi @Vivek8079 @richardwan