beetlerom
commented
1 year ago @rahulkiit Thanks for raising this issue. Do you mind sharing the scenario you had a mind? How exactly would a hacker be able to use that domain for his own benefit?
Closed rahulkiit closed 1 year ago
beetlerom
commented
1 year ago @rahulkiit Thanks for raising this issue. Do you mind sharing the scenario you had a mind? How exactly would a hacker be able to use that domain for his own benefit?
beetlerom
commented
1 year ago @rahulkiit The URL API requires the baseUrl to be a valid URL. Using another URL seems to be equally confusing no matter the URL used. If you have a certain security concern that we have missed out on, please let me know.
rahulkiit
commented
1 year ago Hi @beetlerom , This issue was reported to us by one someone as responsible disclosure program. As per reporter he/she can register this domain on his/her name and if there any call to that domain then it can be misused. Based on the logical code flow it less likely to be exploitable but having a random domain name part of code is not good practice. If code logic changes and this random domain name is used then we will have a issue.
beetlerom
commented
1 year ago @rahulkiit How would you mitigate this then? It seems to me that any domain we use we would have this problem.
We are well aware that it's not best practice. However, there is no better alternative that I see at this moment. Happy to hear suggestions :)
Just to clarify: Registering this domain would have 0 impact on our customers so not sure what the issue is. No requests are ever made to this domain.
Having random domain names is sometimes needed, for testing purposes for instance.
If code logic changes and this random domain name is used then we will have a issue.
This sounds to me like a generic argument that applies to most lines of FE code ever written. I understand best practices, however, context matters :)
m-allanson
commented
1 year ago I think example.com would work here. It's a reserved domain that cannot be registered. See https://www.iana.org/domains/reserved
beetlerom
commented
1 year ago Quite like the suggestion @m-allanson , thank you! 🙏
beetlerom
commented
1 year ago This will be fixed in v19.x
beetlerom
commented
1 year ago This has been fixed with the v19.0.1 release. Thank you for your help!
This file got a dummy URL "http://zmfrzxvybc5jb20.com" that is not used by code but still not good idea to have a random URL that a hacker can register. Can you use a text that is not a valid URL ?
packages/spa-sdk/src/url/utils.ts