lambdaisland/uri `authority-regex` returns the wrong authority
Description
Published by the National Vulnerability Database
Mar 27, 2023
Published to the GitHub Advisory Database
Mar 27, 2023
Reviewed
Mar 27, 2023
Last updated
Apr 4, 2023
Summary
authority-regex
allows an attacker to send malicious URLs to be parsed by thelambdaisland/uri
and return the wrong authority. This issue is similar to CVE-2020-8910.Details
https://github.com/lambdaisland/uri/blob/d3355fcd3e235238f4dcd37be97787a84e580072/src/lambdaisland/uri.cljc#L9
This regex doesn't handle the backslash (
\
) character in the username correctly, leading to a wrong output.Payload:
https://example.com\\@google.com
The returned host is
google.com
, but the correct host should beexample.com
.urllib3
(Python) andgoogle-closure-library
(Javascript) returnexample.com
as the host. Here the correct (or current) regex used bygoogle-closure-library
:https://github.com/google/closure-library/blob/0e567abedb058e9b194a40cfa3ad4c507653bccf/closure/goog/uri/utils.js#L189
PoC
Impact
The library returns the wrong authority, and it can be abused to bypass host restrictions.
Reference
WHATWG Living URL spec, section 4.4 URL Parsing, host state: https://url.spec.whatwg.org/#url-parsing
References