fix(isURL): prevent URL validation bypass by improving protocol detec…#2603
fix(isURL): prevent URL validation bypass by improving protocol detec…#2603manuelMarkDenver wants to merge 1 commit intovalidatorjs:masterfrom
Conversation
| const protocol_match = url.match(/^([a-z][a-z0-9+\-.]*):/i); | ||
| const hadExplicitProtocol = !!protocol_match; | ||
|
|
||
| if (protocol_match) { |
There was a problem hiding this comment.
To go with this suggestion and the one above to retain naming consistency
| if (protocol_match) { | |
| if (had_explicit_protocol) { |
|
CI failure is unrelated to your PR. We're not using a |
|
Nice work @manuelMarkDenver |
| // Replaced the 'split("://")' logic with a regex to match the protocol. | ||
| // This correctly identifies schemes like `javascript:` which don't use `//`. | ||
| const protocol_match = url.match(/^([a-z][a-z0-9+\-.]*):/i); | ||
| const hadExplicitProtocol = !!protocol_match; |
There was a problem hiding this comment.
To maintain consistency in naming: had_explicit_protocol
There was a problem hiding this comment.
| const hadExplicitProtocol = !!protocol_match; | |
| const had_explicit_protocol = !!protocol_match; |
|
Link to this issue: #2600 |
|
This looks (at least partially) LLM-written. While LLMs are useful, using them for security-sensitive code can often result in subtle bugs. Perhaps there should be a bit extra thorough review of this PR to make sure that a. it fully fixes the issue, and b. doesn't introduce any other issues. |
While I agree with you, LLM's do make mistakes and aren't perfect. I am sure the maintainers know this and also know people make mistakes. That's where we help reviewing, testing, and typically use extensive CI/CD testing. My point: All PR's should be handled without bias, extensively tested + reviewed thoroughly. |
@WikiRik Would it be appropriate for said PR to, say, drop semver for a subsequent minor release and pin the versions of @babel/* to 7.12.7, before Node 6 support was dropped by them? I figured it would be a quicker solution to maintaining node 6 support for validator.jsv13.x.x, unless you're already planning on immediately dropping Node 6 yourselves. |
Pinning @babel/* to 7.12.7 would be an option, but since the actual issue is more downstream I opened #2609 to remove Node 6 from testing. That does not change the build itself. With these issues occuring more and more I want to release a new major release soon that just drops support for EoL Node versions. |
|
I will close this in favour of #2608. If people want to review, feel free to do so on that PR |
9 participants
🛠️ Fix: Prevent URL validation bypass in isURL
Summary
This PR addresses GHSA-9965-vmph-33xx, a vulnerability in the isURL function where the existing logic used split("://") to detect the protocol. This approach fails to correctly identify schemes that do not include // (e.g., javascript:), allowing malicious URLs to bypass validation checks.
What’s Changed
Why This Fix Matters
Additional Notes
✅ This PR helps mitigate the URL validation bypass vulnerability and improves the security of the isURL utility without breaking existing implementations.