New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Consider malcrafted url's #534

Closed

wmrutten opened this issue Jan 31, 2018 · 1 comment

Contributor

wmrutten commented Jan 31, 2018

There's a discussion on Zulip about malcrafted urls:
https://chat.fhir.org/#narrow/stream/implementers/subject/URL.20Parsing

Exploits by Orange Tsai:
https://www.blackhat.com/docs/us-17/thursday/us-17-Tsai-A-New-Era-Of-SSRF-Exploiting-URL-Parser-In-Trending-Programming-Languages.pdf
http://blog.orange.tw/2017/07/how-i-chained-4-vulnerabilities-on.html

List of test url's
https://www.lookout.net/test/url/

Maybe we can implement at least some unit tests for this?

ewoutkramer added the enhancement label

Member

marcovisserFurore commented Jun 24, 2021

These kinds of exploits should be resolved and handled by the server, not this SDK. Because it cannot know the context it is in.

marcovisserFurore closed this as completed

# for free to join this conversation on GitHub. Already have an account? # to comment