Proofpoint's urldefense.com redirects are broken

[fmarier]

Description

If Brave's query string filter detects parameters to strip out in Proofpoint's redirect URLs, it will break the signature that Proofpoint adds to the URL and prevent the redirect from working.

From https://github.com/uBlockOrigin/uAssets/issues/25350.

Steps to reproduce

1. Open https://urldefense.com/v3/__https://www.portainer.io/hs/preferences-center/en/direct?data=W2nXS-N30h-M1W45lXqV2nFX8ZW3SzKNq3gnnN0W4cQh6C1Bnn1kW1VjfB24fr2-BW4mm3dy3T2wkqW2MWfBj49z9PPW4mqs512qWTfrW4px5K71Nn7N2W32DKbz1V7s-qW21bSln2KWpS4W1SdHmq2YwgS9W3P8RNt2r6W8pW49QSSt1_tcPsW3GSrf749CfyJW2PPdX33JPrgmW4hcHf84hm-NmW2FS2pd2sMKL-W2YGYkz43RS-9W4pjpV52t0rxlW3SB_f94psLW2W3_Sm6w2FGVTjW3K2-cG4fzZLWW2qDSdB3bzPyBW3j8X_q2PMxWzW36CtK22MvcXrW4hNdFB3DLWP3W3VMWNy3SYMyvW1Vs-MC43NZJNW4hLsTd2B1T2JW2sB9wk3DMh2mW2D0QS-2t04tYW43Cpv42Tz6SwW32rgcB3_SfvDW4mq1yB36nnnkW3BNLQw2YfSH9W49sKsP3z4zKPW3zd1YL1Zm6S3W4kmj3Z2sQ7WVW36xkSD2RSm5hW1Q0SqC30sK9ZW2-kSbQ2nH5KcW36fNc_2RjGNjW36pblN43qsbhW2CCNvJ3_SL29W1_sQHx4fqK9NW3Sy1cb4mpD3h0&utm_campaign=XNF&utm_source=hs_automation&utm_medium=email&utm_content=264158909&_hsenc=p2ANqtz--9JvIgI266aB1UVizENwYNYREZSotsXOhWcMNeKjZLJO9ZwmR9xlyfsQN2orbT25IymZ_vKUNTANMKQMVQBnzowi2339ExVoOKMJaHx0t2yn5esgg&_hsmi=264158909__;!!MlclJBHn!0eDf-zTf69h-IhFT9WDu2GIXAtCy6RENwguPVpTF1k2K-Nbnzy1NXix2Gj7azc8yDFyI2z3Tz4nTFuGe2hlLzsBl$

Actual result

You end up on https://urldefense.com/jerror

Expected result

You should end up on https://www.portainer.io/hs/preferences-center/en/direct?data=W2nXS-N30h-M1W45lXqV2nFX8ZW3SzKNq3gnnN0W4cQh6C1Bnn1kW1VjfB24fr2-BW4mm3dy3T2wkqW2MWfBj49z9PPW4mqs512qWTfrW4px5K71Nn7N2W32DKbz1V7s-qW21bSln2KWpS4W1SdHmq2YwgS9W3P8RNt2r6W8pW49QSSt1_tcPsW3GSrf749CfyJW2PPdX33JPrgmW4hcHf84hm-NmW2FS2pd2sMKL-W2YGYkz43RS-9W4pjpV52t0rxlW3SB_f94psLW2W3_Sm6w2FGVTjW3K2-cG4fzZLWW2qDSdB3bzPyBW3j8X_q2PMxWzW36CtK22MvcXrW4hNdFB3DLWP3W3VMWNy3SYMyvW1Vs-MC43NZJNW4hLsTd2B1T2JW2sB9wk3DMh2mW2D0QS-2t04tYW43Cpv42Tz6SwW32rgcB3_SfvDW4mq1yB36nnnkW3BNLQw2YfSH9W49sKsP3z4zKPW3zd1YL1Zm6S3W4kmj3Z2sQ7WVW36xkSD2RSm5hW1Q0SqC30sK9ZW2-kSbQ2nH5KcW36fNc_2RjGNjW36pblN43qsbhW2CCNvJ3_SL29W1_sQHx4fqK9NW3Sy1cb4mpD3h0

Reproduces how often

Easily reproduced

Desktop Brave version (brave://version info)

Brave   1.70.107 Chromium: 128.0.6613.120 (Official Build) beta (64-bit) 
Revision    ab3f504ca4a15c330f60a93d5e3773d780498980
OS  Linux

Android device

• Brand/model: Pixel 6a
• Android version: 14

Channel information

• [ ] release (stable)
• [X] beta
• [ ] nightly

Reproducibility

• [ ] with Brave Shields disabled
• [ ] with Brave Rewards disabled
• [ ] in the latest version of Chrome

Miscellaneous information

Work-around:

1. Open https://urldefense.com/jerror
2. Click on the Shields icon in the URL bar
3. Disable Shields for that site.

From there on, the redirects will work.

[fmarier]

Looks like V2 of their service didn't have that problem because they used to encode the original URL:

• https://urldefense.proofpoint.com/v2/url?u=https-3A__analytics.twitter.com_i_adsct-3Fp-5Fid-3DTwitter-26p-5Fuser-5Fid-3D0-26txn-5Fid-3Do2gi1-26events-3D-255B-255B-2522pageview-2522-252Cnull-255D-255D-26tw-5Fsale-5Famount-3D0-26tw-5Forder-5Fquantity-3D0&d=DwMGaQ&c=5VD0RTtNlTh3ycd41b3MUw&r=GMr8XYCDyeQQZuD3noL91A&m=dAJyokk16UvYy-vMrGn_JwYiGfp_eEgo25B9iGDCG-A&s=o6i4D0V0088WH2RnzIoqiF-vj45PL-2sTrsxQ0SNO3A&e=)
  • https://analytics.twitter.com/i/adsct?p_id=Twitter&p_user_id=0&txn_id=o2gi1&events=%5B%5B%22pageview%22%2Cnull%5D%5D&tw_sale_amount=0&tw_order_quantity=0
• https://urldefense.proofpoint.com/v2/url?u=https-3A__www.leading-2Demployers.de_stahlgruber&d=DwMFAw&c=GxnknYc_joVOeY11_sgW6g&r=z5SPc_sVnkuep5BaJtgrhEFyaDirFq-JEIKhtAlrSeg&m=0IpXys76IDBdEiqoyBErtGU2y1IufKSDkGiL9tuul_c&s=cHrXnmPoC2IWki_rh8F6JKBdVkT4_RsRWnV1HooeiY4&e=
  • https://www.leading-employers.de/stahlgruber

[kjozwiak]

The above requires 1.70.119 or higher for 1.70.x verification 👍

[kjozwiak]

Verification PASSED on Win 11 x64 using the following build(s):

Brave | 1.70.119 Chromium: 129.0.6668.70 (Official Build) (64-bit)
-- | --
Revision | a15c836a4df987f118ece1645f54b081019049de
OS | Windows 11 Version 23H2 (Build 22631.4169)

Using the STR/Cases outlined via https://github.com/brave/brave-browser/issues/41134#issue-2534728363, ensured that the URL that was provided correctly re-directed to https://www.portainer.io and didn't display an error message as per the following:

https://github.com/user-attachments/assets/aaca5fc3-c1ca-4e04-8897-dc25721291f8

[hffvld]

Verified on Pixel 7 using version(s):

Device/OS: Pixel 7 / panther_beta-user 15 AP41.240823.009 release-keys
Brave build: 1.70.119
Chromium: 129.0.6668.70 (Official Build) (64-bit) 

---

STEPS:

1. Follow the STR/TP from https://github.com/brave/brave-browser/issues/41134#issue-2534728363
2. Verify

ACTUAL RESULTS:

• Verified that redirection to the wrong website is not happening when accessing the provided URL, and landed on https://www.portainer.io

---

1	2